Tuesday, July 23, 2013

FreeBSD success: Block bruteforce ssh attacks, plus squid

I recently built a new FreeBSD server to replace my aging system.  This server acts as my firewall, dhcp server, does NAT, and now that I have lots more disk space, will be the local file server.  During the switchover, I decided to begin using OpenBSD packet filter pf which is one of the firewall options in FreeBSD.

I am still getting the hang of configuring pf, but I have been able to set it up to notice brute force attacks on my open services (e.g. ssh) and put those hosts on a blacklist.  This makes me happy, since my daily system report has always included pages and pages of attempted access to my system.

So I can always recreate my success when I inevitable mess it up later, this post documents how I did it.

First, you need to enable pf.  The FreeBSD handbook has the details.  That page also details what I'm talking about, so this post isn't even needed. :)

The relevant portions of  my pf.conf are something like:
# Services I offer to the world
ext_svc_tcp="{ ssh, ftp, http }"

table <bruteforce> persist
scrub in
nat on $ext_if from !($ext_if) -> ($ext_if:0)
# Filter Rules
block in
block quick from <bruteforce>
# Allow rules for services running on Tigger
pass in on $ext_if inet proto tcp from any to ($ext_if) port $ext_svc_tcp \
        flags S/SA keep state \
        (max-src-conn 50, max-src-conn-rate 10/5, \
        overload <bruteforce> flush global)
I'm not certain if the bruteforce table persists across reboots or reloading of the firewall, but I figure it should since the keyword persist is on the table definition.  Table lines can also have "file <path>" options, which might write it out to an editable file?

How do I know this is working?

# pfctl -t bruteforce -Tshow
No ALTQ support in kernel
ALTQ related functions disabled

I also am attempting to use squid to remove ads during web browsing. On desktop computers, I am very happy with Adblock Plus on Firefox, but it really bothers me that I am deluged with ads on my iPad and the like.  SquidGuard seems like the perfect addition to filter the ads, but, while I have configured it into the stream, it isn't blocking things I know it should.   However, I have had success with Upside-down-ternet.  The kids don't know what hit them. (I recommend using mogrify options "-flip -swirl 45".)

squid is automatically placed into all outgoing http requests by adding this line to pf.conf:
rdr pass on $int_if proto tcp to port http -> port 3129
and adding this to squid.conf, after rebuilding www/squid33 with TP_PF enabled:
http_port 3129 intercept