pf not stopping bruteforce attempts












0














I am setting up an SFTP server for me and my friends and I am trying to stop brute force attempts.



I have read many articles on how to get pf to stop brute force attacks and am not having any luck.



I am running OpenBSD 6.4
Here is my current /etc/pf.conf



#       $OpenBSD: pf.conf,v 1.55 2017/12/03 20:40:04 s then Exp $
#
# See pf.conf(5) and /etc/examples/pf.conf
set skip on lo
block return # block stateless traffic
pass # establish keep-state
# By default, do not permit remote connections to X11
block return in on ! lo0 proto tcp to port 6000:6010
# Port build user does not need network
block return out log proto {tcp udp} user _pbuild
ext_if="em0"
antispoof quick for ($ext_if) #No IP or GPS SPOOFING allowed here :)
table <bruteforce> persist
block quick from <bruteforce>
pass inet proto tcp to any:network port 22
keep state (max-src-conn 10, max-src-conn-rate 5/5,
overload <bruteforce> flush global)
table <ssh_block> persist
block quick from <ssh_block> to any


When I checked the tables brute-force and ssh_block they didn't exist. So on ssh_block
I ran the command



pfctl -t ssh_block -T add 218.92.1.138
1 table created.
1/1 addresses added.
pfctl -t ssh_block -T show
218.92.1.138


However my /var/log/authlog is still filling up with attempts from that ip address.



What am I missing?










share|improve this question
























  • Did you reboot or run pfctl -f /etc/pf.conf after modifying that file?
    – Kusalananda
    Dec 19 '18 at 16:32










  • I had an error on the config no IP address found for any:network /etc/pf.conf:22: could not parse host specification pfctl: Syntax error in config file: pf rules not loaded I commented out my other block rule. No errors now. however after I rebooted the server my ssh_block table is empty
    – babyPenguin
    Dec 19 '18 at 16:46








  • 1




    You can't use :network on any, I think. I just use pass in on egress proto tcp to any port ssh (etc.)
    – Kusalananda
    Dec 19 '18 at 16:50






  • 1




    @Kusalananda please make that an answer and I will accept it. I haven't received any more attempts from that IP address.
    – babyPenguin
    Dec 19 '18 at 18:22
















0














I am setting up an SFTP server for me and my friends and I am trying to stop brute force attempts.



I have read many articles on how to get pf to stop brute force attacks and am not having any luck.



I am running OpenBSD 6.4
Here is my current /etc/pf.conf



#       $OpenBSD: pf.conf,v 1.55 2017/12/03 20:40:04 s then Exp $
#
# See pf.conf(5) and /etc/examples/pf.conf
set skip on lo
block return # block stateless traffic
pass # establish keep-state
# By default, do not permit remote connections to X11
block return in on ! lo0 proto tcp to port 6000:6010
# Port build user does not need network
block return out log proto {tcp udp} user _pbuild
ext_if="em0"
antispoof quick for ($ext_if) #No IP or GPS SPOOFING allowed here :)
table <bruteforce> persist
block quick from <bruteforce>
pass inet proto tcp to any:network port 22
keep state (max-src-conn 10, max-src-conn-rate 5/5,
overload <bruteforce> flush global)
table <ssh_block> persist
block quick from <ssh_block> to any


When I checked the tables brute-force and ssh_block they didn't exist. So on ssh_block
I ran the command



pfctl -t ssh_block -T add 218.92.1.138
1 table created.
1/1 addresses added.
pfctl -t ssh_block -T show
218.92.1.138


However my /var/log/authlog is still filling up with attempts from that ip address.



What am I missing?










share|improve this question
























  • Did you reboot or run pfctl -f /etc/pf.conf after modifying that file?
    – Kusalananda
    Dec 19 '18 at 16:32










  • I had an error on the config no IP address found for any:network /etc/pf.conf:22: could not parse host specification pfctl: Syntax error in config file: pf rules not loaded I commented out my other block rule. No errors now. however after I rebooted the server my ssh_block table is empty
    – babyPenguin
    Dec 19 '18 at 16:46








  • 1




    You can't use :network on any, I think. I just use pass in on egress proto tcp to any port ssh (etc.)
    – Kusalananda
    Dec 19 '18 at 16:50






  • 1




    @Kusalananda please make that an answer and I will accept it. I haven't received any more attempts from that IP address.
    – babyPenguin
    Dec 19 '18 at 18:22














0












0








0







I am setting up an SFTP server for me and my friends and I am trying to stop brute force attempts.



I have read many articles on how to get pf to stop brute force attacks and am not having any luck.



I am running OpenBSD 6.4
Here is my current /etc/pf.conf



#       $OpenBSD: pf.conf,v 1.55 2017/12/03 20:40:04 s then Exp $
#
# See pf.conf(5) and /etc/examples/pf.conf
set skip on lo
block return # block stateless traffic
pass # establish keep-state
# By default, do not permit remote connections to X11
block return in on ! lo0 proto tcp to port 6000:6010
# Port build user does not need network
block return out log proto {tcp udp} user _pbuild
ext_if="em0"
antispoof quick for ($ext_if) #No IP or GPS SPOOFING allowed here :)
table <bruteforce> persist
block quick from <bruteforce>
pass inet proto tcp to any:network port 22
keep state (max-src-conn 10, max-src-conn-rate 5/5,
overload <bruteforce> flush global)
table <ssh_block> persist
block quick from <ssh_block> to any


When I checked the tables brute-force and ssh_block they didn't exist. So on ssh_block
I ran the command



pfctl -t ssh_block -T add 218.92.1.138
1 table created.
1/1 addresses added.
pfctl -t ssh_block -T show
218.92.1.138


However my /var/log/authlog is still filling up with attempts from that ip address.



What am I missing?










share|improve this question















I am setting up an SFTP server for me and my friends and I am trying to stop brute force attempts.



I have read many articles on how to get pf to stop brute force attacks and am not having any luck.



I am running OpenBSD 6.4
Here is my current /etc/pf.conf



#       $OpenBSD: pf.conf,v 1.55 2017/12/03 20:40:04 s then Exp $
#
# See pf.conf(5) and /etc/examples/pf.conf
set skip on lo
block return # block stateless traffic
pass # establish keep-state
# By default, do not permit remote connections to X11
block return in on ! lo0 proto tcp to port 6000:6010
# Port build user does not need network
block return out log proto {tcp udp} user _pbuild
ext_if="em0"
antispoof quick for ($ext_if) #No IP or GPS SPOOFING allowed here :)
table <bruteforce> persist
block quick from <bruteforce>
pass inet proto tcp to any:network port 22
keep state (max-src-conn 10, max-src-conn-rate 5/5,
overload <bruteforce> flush global)
table <ssh_block> persist
block quick from <ssh_block> to any


When I checked the tables brute-force and ssh_block they didn't exist. So on ssh_block
I ran the command



pfctl -t ssh_block -T add 218.92.1.138
1 table created.
1/1 addresses added.
pfctl -t ssh_block -T show
218.92.1.138


However my /var/log/authlog is still filling up with attempts from that ip address.



What am I missing?







ssh security openbsd pf






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Dec 19 '18 at 18:41









Rui F Ribeiro

39k1479130




39k1479130










asked Dec 19 '18 at 16:13









babyPenguin

33




33












  • Did you reboot or run pfctl -f /etc/pf.conf after modifying that file?
    – Kusalananda
    Dec 19 '18 at 16:32










  • I had an error on the config no IP address found for any:network /etc/pf.conf:22: could not parse host specification pfctl: Syntax error in config file: pf rules not loaded I commented out my other block rule. No errors now. however after I rebooted the server my ssh_block table is empty
    – babyPenguin
    Dec 19 '18 at 16:46








  • 1




    You can't use :network on any, I think. I just use pass in on egress proto tcp to any port ssh (etc.)
    – Kusalananda
    Dec 19 '18 at 16:50






  • 1




    @Kusalananda please make that an answer and I will accept it. I haven't received any more attempts from that IP address.
    – babyPenguin
    Dec 19 '18 at 18:22


















  • Did you reboot or run pfctl -f /etc/pf.conf after modifying that file?
    – Kusalananda
    Dec 19 '18 at 16:32










  • I had an error on the config no IP address found for any:network /etc/pf.conf:22: could not parse host specification pfctl: Syntax error in config file: pf rules not loaded I commented out my other block rule. No errors now. however after I rebooted the server my ssh_block table is empty
    – babyPenguin
    Dec 19 '18 at 16:46








  • 1




    You can't use :network on any, I think. I just use pass in on egress proto tcp to any port ssh (etc.)
    – Kusalananda
    Dec 19 '18 at 16:50






  • 1




    @Kusalananda please make that an answer and I will accept it. I haven't received any more attempts from that IP address.
    – babyPenguin
    Dec 19 '18 at 18:22
















Did you reboot or run pfctl -f /etc/pf.conf after modifying that file?
– Kusalananda
Dec 19 '18 at 16:32




Did you reboot or run pfctl -f /etc/pf.conf after modifying that file?
– Kusalananda
Dec 19 '18 at 16:32












I had an error on the config no IP address found for any:network /etc/pf.conf:22: could not parse host specification pfctl: Syntax error in config file: pf rules not loaded I commented out my other block rule. No errors now. however after I rebooted the server my ssh_block table is empty
– babyPenguin
Dec 19 '18 at 16:46






I had an error on the config no IP address found for any:network /etc/pf.conf:22: could not parse host specification pfctl: Syntax error in config file: pf rules not loaded I commented out my other block rule. No errors now. however after I rebooted the server my ssh_block table is empty
– babyPenguin
Dec 19 '18 at 16:46






1




1




You can't use :network on any, I think. I just use pass in on egress proto tcp to any port ssh (etc.)
– Kusalananda
Dec 19 '18 at 16:50




You can't use :network on any, I think. I just use pass in on egress proto tcp to any port ssh (etc.)
– Kusalananda
Dec 19 '18 at 16:50




1




1




@Kusalananda please make that an answer and I will accept it. I haven't received any more attempts from that IP address.
– babyPenguin
Dec 19 '18 at 18:22




@Kusalananda please make that an answer and I will accept it. I haven't received any more attempts from that IP address.
– babyPenguin
Dec 19 '18 at 18:22










1 Answer
1






active

oldest

votes


















1














The issue was an error in the /etc/pf.conf file that prevented the firewall from loading its configuration at all (:network applies to a specific interface).



An example of using pf for blocking brute-force connections is given in the OpenBSD PF FAQ, and it boils down to the rules (modified from originally being a www example to something I am using for ssh):



table <bruteforce> persist
block in quick from <bruteforce>

pass in on egress proto tcp to any port ssh flags S/SA keep state
(max-src-conn 5, max-src-conn-rate 5/30,
overload <bruteforce> flush global)


This would put any host that connects more often than five times every 30 seconds into the <bruteforce> table, which would block it. It also only allows five connections per source address.



Another option is to use SSHGuard. There is a port of SSHGuard for OpenBSD, but it's very old (release 1.5 from 2011). I've just (a few minutes ago) submitted an update to it which will hopefully be committed within a few days.






share|improve this answer























    Your Answer








    StackExchange.ready(function() {
    var channelOptions = {
    tags: "".split(" "),
    id: "106"
    };
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function() {
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled) {
    StackExchange.using("snippets", function() {
    createEditor();
    });
    }
    else {
    createEditor();
    }
    });

    function createEditor() {
    StackExchange.prepareEditor({
    heartbeatType: 'answer',
    autoActivateHeartbeat: false,
    convertImagesToLinks: false,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: null,
    bindNavPrevention: true,
    postfix: "",
    imageUploader: {
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    },
    onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    });


    }
    });














    draft saved

    draft discarded


















    StackExchange.ready(
    function () {
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f489952%2fpf-not-stopping-bruteforce-attempts%23new-answer', 'question_page');
    }
    );

    Post as a guest















    Required, but never shown

























    1 Answer
    1






    active

    oldest

    votes








    1 Answer
    1






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes









    1














    The issue was an error in the /etc/pf.conf file that prevented the firewall from loading its configuration at all (:network applies to a specific interface).



    An example of using pf for blocking brute-force connections is given in the OpenBSD PF FAQ, and it boils down to the rules (modified from originally being a www example to something I am using for ssh):



    table <bruteforce> persist
    block in quick from <bruteforce>

    pass in on egress proto tcp to any port ssh flags S/SA keep state
    (max-src-conn 5, max-src-conn-rate 5/30,
    overload <bruteforce> flush global)


    This would put any host that connects more often than five times every 30 seconds into the <bruteforce> table, which would block it. It also only allows five connections per source address.



    Another option is to use SSHGuard. There is a port of SSHGuard for OpenBSD, but it's very old (release 1.5 from 2011). I've just (a few minutes ago) submitted an update to it which will hopefully be committed within a few days.






    share|improve this answer




























      1














      The issue was an error in the /etc/pf.conf file that prevented the firewall from loading its configuration at all (:network applies to a specific interface).



      An example of using pf for blocking brute-force connections is given in the OpenBSD PF FAQ, and it boils down to the rules (modified from originally being a www example to something I am using for ssh):



      table <bruteforce> persist
      block in quick from <bruteforce>

      pass in on egress proto tcp to any port ssh flags S/SA keep state
      (max-src-conn 5, max-src-conn-rate 5/30,
      overload <bruteforce> flush global)


      This would put any host that connects more often than five times every 30 seconds into the <bruteforce> table, which would block it. It also only allows five connections per source address.



      Another option is to use SSHGuard. There is a port of SSHGuard for OpenBSD, but it's very old (release 1.5 from 2011). I've just (a few minutes ago) submitted an update to it which will hopefully be committed within a few days.






      share|improve this answer


























        1












        1








        1






        The issue was an error in the /etc/pf.conf file that prevented the firewall from loading its configuration at all (:network applies to a specific interface).



        An example of using pf for blocking brute-force connections is given in the OpenBSD PF FAQ, and it boils down to the rules (modified from originally being a www example to something I am using for ssh):



        table <bruteforce> persist
        block in quick from <bruteforce>

        pass in on egress proto tcp to any port ssh flags S/SA keep state
        (max-src-conn 5, max-src-conn-rate 5/30,
        overload <bruteforce> flush global)


        This would put any host that connects more often than five times every 30 seconds into the <bruteforce> table, which would block it. It also only allows five connections per source address.



        Another option is to use SSHGuard. There is a port of SSHGuard for OpenBSD, but it's very old (release 1.5 from 2011). I've just (a few minutes ago) submitted an update to it which will hopefully be committed within a few days.






        share|improve this answer














        The issue was an error in the /etc/pf.conf file that prevented the firewall from loading its configuration at all (:network applies to a specific interface).



        An example of using pf for blocking brute-force connections is given in the OpenBSD PF FAQ, and it boils down to the rules (modified from originally being a www example to something I am using for ssh):



        table <bruteforce> persist
        block in quick from <bruteforce>

        pass in on egress proto tcp to any port ssh flags S/SA keep state
        (max-src-conn 5, max-src-conn-rate 5/30,
        overload <bruteforce> flush global)


        This would put any host that connects more often than five times every 30 seconds into the <bruteforce> table, which would block it. It also only allows five connections per source address.



        Another option is to use SSHGuard. There is a port of SSHGuard for OpenBSD, but it's very old (release 1.5 from 2011). I've just (a few minutes ago) submitted an update to it which will hopefully be committed within a few days.







        share|improve this answer














        share|improve this answer



        share|improve this answer








        edited Dec 19 '18 at 18:46

























        answered Dec 19 '18 at 18:35









        Kusalananda

        121k16229372




        121k16229372






























            draft saved

            draft discarded




















































            Thanks for contributing an answer to Unix & Linux Stack Exchange!


            • Please be sure to answer the question. Provide details and share your research!

            But avoid



            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.


            To learn more, see our tips on writing great answers.





            Some of your past answers have not been well-received, and you're in danger of being blocked from answering.


            Please pay close attention to the following guidance:


            • Please be sure to answer the question. Provide details and share your research!

            But avoid



            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.


            To learn more, see our tips on writing great answers.




            draft saved


            draft discarded














            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f489952%2fpf-not-stopping-bruteforce-attempts%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown







            Popular posts from this blog

            Morgemoulin

            Scott Moir

            Souastre