Fail2ban alternative for OpenBSD

classic Classic list List threaded Threaded
17 messages Options
Reply | Threaded
Open this post in threaded view
|

Fail2ban alternative for OpenBSD

x9p-2
Hi,

Coming from the Linux world, I wonder if there is a better alternative
to fail2ban, already being used in OpenBSD servers by the majority.

cheers.

x9p

Reply | Threaded
Open this post in threaded view
|

Re: Fail2ban alternative for OpenBSD

Tom Rosso-4
On 2017-10-28 21:20, x9p wrote:
> Hi,
>
> Coming from the Linux world, I wonder if there is a better alternative
> to fail2ban, already being used in OpenBSD servers by the majority.
>
> cheers.
>
> x9p

The pf firewall provides the capability to block brute force attacks.  
See max-src-conn-rate.
https://www.openbsd.org/faq/pf/filter.html#stateopts

Reply | Threaded
Open this post in threaded view
|

Re: Fail2ban alternative for OpenBSD

Rupert Gallagher
Note that PF cannot discriminate between legitimate and abusive multiple connections from same cidr. If you whitelist the cidr of a mobile network, to avoid banning yourself on port 993, you also whitelist bruteforce attacks from the same cidr.

Sent from ProtonMail Mobile

On Sun, Oct 29, 2017 at 5:26 AM, Tom Rosso <[hidden email]> wrote:

> On 2017-10-28 21:20, x9p wrote: > Hi, > > Coming from the Linux world, I wonder if there is a better alternative > to fail2ban, already being used in OpenBSD servers by the majority. > > cheers. > > x9p The pf firewall provides the capability to block brute force attacks. See max-src-conn-rate. https://www.openbsd.org/faq/pf/filter.html#stateopts
Reply | Threaded
Open this post in threaded view
|

Re: Fail2ban alternative for OpenBSD

x9p-2
On 2017-10-29 04:35, Rupert Gallagher wrote:

> Note that PF cannot discriminate between legitimate and abusive
> multiple connections from same cidr. If you whitelist the cidr of a
> mobile network, to avoid banning yourself on port 993, you also
> whitelist bruteforce attacks from the same cidr.
>
> Sent from ProtonMail Mobile
>
> On Sun, Oct 29, 2017 at 5:26 AM, Tom Rosso <[hidden email]> wrote:
>
>> On 2017-10-28 21:20, x9p wrote: > Hi, > > Coming from the Linux world,
>> I wonder if there is a better alternative > to fail2ban, already being
>> used in OpenBSD servers by the majority. > > cheers. > > x9p The pf
>> firewall provides the capability to block brute force attacks. See
>> max-src-conn-rate.
>> https://www.openbsd.org/faq/pf/filter.html#stateopts

was suggested http://openports.se/sysutils/sec , which seems the most
proper.

thanks all for the inputs..

cheers.

x9p

Reply | Threaded
Open this post in threaded view
|

Re: Fail2ban alternative for OpenBSD

Jacob Leifman
You might also want to check out http://openports.se/security/sshguard which
integrates directly with PF. I find it quite effective.

On 29 Oct 2017 at 6:30, x9p wrote:

> On 2017-10-29 04:35, Rupert Gallagher wrote:
> > Note that PF cannot discriminate between legitimate and abusive
> > multiple connections from same cidr. If you whitelist the cidr of a
> > mobile network, to avoid banning yourself on port 993, you also
> > whitelist bruteforce attacks from the same cidr.
> >
> > Sent from ProtonMail Mobile
> >
> > On Sun, Oct 29, 2017 at 5:26 AM, Tom Rosso <[hidden email]> wrote:
> >
> >> On 2017-10-28 21:20, x9p wrote: > Hi, > > Coming from the Linux world,
> >> I wonder if there is a better alternative > to fail2ban, already being
> >> used in OpenBSD servers by the majority. > > cheers. > > x9p The pf
> >> firewall provides the capability to block brute force attacks. See
> >> max-src-conn-rate.
> >> https://www.openbsd.org/faq/pf/filter.html#stateopts
>
> was suggested http://openports.se/sysutils/sec , which seems the most
> proper.
>
> thanks all for the inputs..
>
> cheers.
>
> x9p
>
>


Reply | Threaded
Open this post in threaded view
|

Re: Fail2ban alternative for OpenBSD

Gregory Edigarov-5
In reply to this post by x9p-2
On 29.10.17 03:20, x9p wrote:
>
> Coming from the Linux world, I wonder if there is a better alternative
> to fail2ban, already being used in OpenBSD servers by the majority.
>
I suggest you NEVER use such "solutions". It's security by obscurity
model, and therefore a bad very very bad thing.
You'd be much safer completely turning off password authentication,
using keys instead.

Reply | Threaded
Open this post in threaded view
|

Re: Fail2ban alternative for OpenBSD

Kamil Cholewiński
On Mon, 30 Oct 2017, Gregory Edigarov <[hidden email]> wrote:
> On 29.10.17 03:20, x9p wrote:
>>
>> Coming from the Linux world, I wonder if there is a better alternative
>> to fail2ban, already being used in OpenBSD servers by the majority.
>>
> I suggest you NEVER use such "solutions". It's security by obscurity
> model, and therefore a bad very very bad thing.
> You'd be much safer completely turning off password authentication,
> using keys instead.

Throttling brute-force attack attempts is usually Good. Passwords are
one thing to try forcing, but there may be other undiscovered (or
unpatched) vulns, like the Debian key fiasco or such.

Of course, if it actually made sense, OpenBSD would probably ship it as
a default ;)

<3,K.

Reply | Threaded
Open this post in threaded view
|

Re: Fail2ban alternative for OpenBSD

Peter Hessler
In reply to this post by Gregory Edigarov-5
On 2017 Oct 30 (Mon) at 11:06:02 +0200 (+0200), Gregory Edigarov wrote:
:On 29.10.17 03:20, x9p wrote:
:>
:> Coming from the Linux world, I wonder if there is a better alternative to
:> fail2ban, already being used in OpenBSD servers by the majority.
:>
:I suggest you NEVER use such "solutions". It's security by obscurity model,
:and therefore a bad very very bad thing.

On the contrary, it is a great way to identify bad actors.  IMHO,
someone trying to bruteforce passwords deserves to be blocked at the
network level.


:You'd be much safer completely turning off password authentication, using
:keys instead.
:

Who says password auth is enabled in the first place?


--
Q:  Why do ducks have flat feet?
A:  To stamp out forest fires.

Q:  Why do elephants have flat feet?
A:  To stamp out flaming ducks.

Reply | Threaded
Open this post in threaded view
|

Re: Fail2ban alternative for OpenBSD

Zbyszek Żółkiewski
First of all, SSH access should be blocked - I am wondering since years why the hell people left SSH port open to the word? Seriously smallest VPC+openvpn cost $5 monthly…

_
Zbyszek Żółkiewski

> Wiadomość napisana przez Peter Hessler <[hidden email]> w dniu 30.10.2017, o godz. 10:35:
>
> On 2017 Oct 30 (Mon) at 11:06:02 +0200 (+0200), Gregory Edigarov wrote:
> :On 29.10.17 03:20, x9p wrote:
> :>
> :> Coming from the Linux world, I wonder if there is a better alternative to
> :> fail2ban, already being used in OpenBSD servers by the majority.
> :>
> :I suggest you NEVER use such "solutions". It's security by obscurity model,
> :and therefore a bad very very bad thing.
>
> On the contrary, it is a great way to identify bad actors.  IMHO,
> someone trying to bruteforce passwords deserves to be blocked at the
> network level.
>
>
> :You'd be much safer completely turning off password authentication, using
> :keys instead.
> :
>
> Who says password auth is enabled in the first place?
>
>
> --
> Q:  Why do ducks have flat feet?
> A:  To stamp out forest fires.
>
> Q:  Why do elephants have flat feet?
> A:  To stamp out flaming ducks.
>

Reply | Threaded
Open this post in threaded view
|

Re: Fail2ban alternative for OpenBSD

Kamil Cholewiński
> I am wondering since years why the hell people left SSH port open to
> the word?

Because I trust OpenSSH.

Reply | Threaded
Open this post in threaded view
|

Re: Fail2ban alternative for OpenBSD

Zbyszek Żółkiewski
that’s naive, did you trusted it when there were weak ssh keys generated back few years ago ? I am not here to teach anyone about good practices, but having ssh closed is just common-sense.

_
Zbyszek Żółkiewski

> Wiadomość napisana przez Kamil Cholewiński <[hidden email]> w dniu 30.10.2017, o godz. 10:57:
>
>> I am wondering since years why the hell people left SSH port open to
>> the word?
>
> Because I trust OpenSSH


smime.p7s (4K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Fail2ban alternative for OpenBSD

Solene Rapenne
In reply to this post by x9p-2
Je 2017-10-29 02:20, x9p skribis:
> Hi,
>
> Coming from the Linux world, I wonder if there is a better alternative
> to fail2ban, already being used in OpenBSD servers by the majority.
>
> cheers.
>
> x9p

Hello,

jca imported sshlockout from dragonflybsd. It's in security/sshlockout.

It's dead simple, here is an extract of the man page :


# in /etc/pf.conf
table <lockout> persist { }

# and later in /etc/pf.conf - see below
block in quick on $ext_if proto tcp from <lockout> to any port 22

# in /etc/syslog.conf
auth.info;authpriv.info   |exec /usr/sbin/sshlockout -pf lockout

# in root's crontab
3 3 * * * pfctl -tlockout -T expire 86400

Reply | Threaded
Open this post in threaded view
|

Re: Fail2ban alternative for OpenBSD

Kamil Cholewiński
In reply to this post by Zbyszek Żółkiewski
On Mon, 30 Oct 2017, Zbyszek Żółkiewski <[hidden email]> wrote:
> that’s naive, did you trusted it when there were weak ssh keys
> generated back few years ago ? I am not here to teach anyone about
> good practices, but having ssh closed is just common-sense.

It was Debian's screwup, not OpenSSH's.

Call me naive. I'll call you if I ever get pwned, and enjoy not having
to muck around with OpenVPN in the meantime.

Reply | Threaded
Open this post in threaded view
|

Re: Fail2ban alternative for OpenBSD

vincent delft-2
In reply to this post by Kamil Cholewiński
Hello all,

My I add my 2 cents ...

I had the same problematic some months ago, so I develop log2table (
http://vincentdelft.be/post/post_20170517)
Which has the same idea of fail2ban.
It's a python script with no specific requirements, except some entries in
doas.conf.

The added value is that you can ban a bad IP based on the different actions
he is doing on your machine (ssh, http, ...).
In short, every attack gives a "weight" (you decide in the config file) and
when the threshold is reached the IP is blocked (1 hour in my config).

rgds


On Mon, Oct 30, 2017 at 10:31 AM, Kamil Cholewiński <[hidden email]>
wrote:

> On Mon, 30 Oct 2017, Gregory Edigarov <[hidden email]> wrote:
> > On 29.10.17 03:20, x9p wrote:
> >>
> >> Coming from the Linux world, I wonder if there is a better alternative
> >> to fail2ban, already being used in OpenBSD servers by the majority.
> >>
> > I suggest you NEVER use such "solutions". It's security by obscurity
> > model, and therefore a bad very very bad thing.
> > You'd be much safer completely turning off password authentication,
> > using keys instead.
>
> Throttling brute-force attack attempts is usually Good. Passwords are
> one thing to try forcing, but there may be other undiscovered (or
> unpatched) vulns, like the Debian key fiasco or such.
>
> Of course, if it actually made sense, OpenBSD would probably ship it as
> a default ;)
>
> <3,K.
>
>
Reply | Threaded
Open this post in threaded view
|

Re: Fail2ban alternative for OpenBSD

Indunil Jayasooriya
In reply to this post by Kamil Cholewiński
On Mon, Oct 30, 2017 at 3:27 PM, Kamil Cholewiński <[hidden email]>
wrote:

> > I am wondering since years why the hell people left SSH port open to
> > the word?
>
> Because I trust OpenSSH.
>
> Yeah, It is pretty secure. I trust too. great work from OpenBSD.



--
cat /etc/motd

Thank you
Indunil Jayasooriya
http://www.theravadanet.net/
Reply | Threaded
Open this post in threaded view
|

Re: Fail2ban alternative for OpenBSD

Stuart Henderson
In reply to this post by Gregory Edigarov-5
On 2017-10-30, Gregory Edigarov <[hidden email]> wrote:
> On 29.10.17 03:20, x9p wrote:
>>
>> Coming from the Linux world, I wonder if there is a better alternative
>> to fail2ban, already being used in OpenBSD servers by the majority.
>>
> I suggest you NEVER use such "solutions". It's security by obscurity
> model, and therefore a bad very very bad thing.
> You'd be much safer completely turning off password authentication,
> using keys instead.

If someone is pushing a lot of auth attempts, they can be consuming meaningful
amounts of cpu. (They're usually too quick to show up in top). So restricting it
can be useful from that point of view.

Myself, I normally restrict ssh to connecting from a predefined list of IPs though ...

Reply | Threaded
Open this post in threaded view
|

Re: Fail2ban alternative for OpenBSD

Gregory Edigarov-5
On 02.11.17 20:19, Stuart Henderson wrote:

> On 2017-10-30, Gregory Edigarov <[hidden email]> wrote:
>> On 29.10.17 03:20, x9p wrote:
>>> Coming from the Linux world, I wonder if there is a better alternative
>>> to fail2ban, already being used in OpenBSD servers by the majority.
>>>
>> I suggest you NEVER use such "solutions". It's security by obscurity
>> model, and therefore a bad very very bad thing.
>> You'd be much safer completely turning off password authentication,
>> using keys instead.
> If someone is pushing a lot of auth attempts, they can be consuming meaningful
> amounts of cpu. (They're usually too quick to show up in top). So restricting it
> can be useful from that point of view.
>
> Myself, I normally restrict ssh to connecting from a predefined list of IPs though ...
And it is a right behavior when you can define such a list.
myself, I just turn off password auth, and have my keys on a pen drive.