Blocking Bruteforce attacks with OpenBSD's pf firewall - In this tutorial, I will show you how to setup bruteforce tables in pf on OpenBSD. Bruteforce attacks can be a real problem for SSH servers that use password authentication and are connected to the internet. To a lesser degree, password protected websites can be a target also. But even if you are not using SSH with password authentication or using password protected directories with .htpasswd, You can still be a target for directory enumeration attacks and other automated attacks. Even just running a webserver.

Configure the bruteforce table

First I'll show you how to setup a basic bruteforce table. Open /etc/pf.conf, and enter the following.

table <bruteforce> persist
block quick from <bruteforce>

pass in quick proto tcp to port 22 flags S/SA keep state (max-src-conn 8, max-src-conn-rate 3/1, overload <bruteforce> flush global)

This sets up a bruteforce table for SSH. It allows a max source connection of eight and a connection rate of three per second. A rather strict bruteforce table. You may want to give it more leeway. Once, the limit(s) have been reached, the IP address is entered in the bruteforce table and is completely blocked from your server. You can either keep the IP addresses in the bruteforce table or you can expire them after a period of time so that you don't have an ever growing list of IP addresses. Also expiring them, keeps from permanently blocking IP addresses from your server.

The bruteforce rules can also be used for webservers, simply change the port number.

After making changes to /etc/pf.conf, reload the file with the following command

# pfctl -f /etc/pf.conf

Using pfctl to manipulate data

You can view entries in the bruteforce table with the following command

# pfctl -t bruteforce -T show

You can also manually add or delete the entries with the following commands

# pfctl -t bruteforce -T add 10.0.0.157
# pfctl -t bruteforce -T delete 10.0.0.157

You can manually expire the entries based on the amount of time they have been in the bruteforce table based on seconds.

# pfctl -t bruteforce -T expire 30000

Automatically expire addresses

Another option is to setup a cronjob to automatically expire entries after, say, five minutes. Setting up a cronjob requires some knowledge of VI. If you don't know how to use it, you should probably stick with manually expiring entries

First we need to create a file with the command to run.

# pfctl -t bruteforce -T expire 1

Once we have the file in place, we now need to make the entry using crontab ( doas crontab -e) and enter the following

*/5  * * * * /path/to/file >/dev/null 2>&1

Now, cron will run the commands in your file every 5 minutes, expiring the entries in the bruteforce table

---

Powered by OpenBSD httpd on a Raspberry Pi | This website is IPv6 enabled