A daily updated list of suspicious, snooping, sniffing and hacking attempts from IP addresses against services like SSH, HTTP and Wordpress Hack Attempts
Modified by: Alexander Koeppe making PF work seamless and with IPv4 and IPv6
+# Further modified by: Zane C. Bowers-Hadley vvelox@vvelox.net to make it kill states for a IP so the
+# ban takes affect as well as not handling multiple protocols.
+
+# WARNING WARNING WARNING WARNING WARNING
+# WARNING WARNING WARNING WARNING WARNING
+# WARNING WARNING WARNING WARNING WARNING
+#
+# This will kill any state for a banned IP. This will ensure the ban actually takes affect.
+# This is need as pf has both the strenght and weakness that changes won't affect current
+# states till it is forced to, but unfortunately the only way to make that take affect is
+# to kil them.
+#
+# If some one wishes to fix that, this will requiring writing a tool to grab the session
+# id for the item in question from 'pfctl -s state -vv'.
+#
+# This is especially important for stateless procols such as UDP as well as TCP protocols
+# that are capable of processing multiple requests in a single session, such as HTTP2.
+#
+# If you wish to disable this, you need to set no_kill=true with an action.
+#
+# Example..
#
+# [dovecot]
+# enabled = true
+# filter = dovecot
+# action = pf[actiontype=,no_kill="true"]
#
+# The above will mean if some one hits the limit for dovecot, it won't automatically kill their
+# active states, such as maybe SSH.
+#
+# Where would be doing this be bad? Lets say you have a service using UDP. The attacker can keep it
+# up indefinitely as long they don't let up as UDP is stateless. Similarly with HTTP2, a attacker
+# can keep it going till the web server kills or they finish doing what ever they are doing. This is
+# especially true for a rule that triggers based on attempted data exfiltration.
+#
+# Basially you have the choice of maybe a potetional moment annoyance of having to restart a SSH
+# session or the like or potiential compromise as the pf table change was never allowed to take affect
+# as the states for that IP were never cleared.
[Definition]
@@ -13,7 +49,7 @@
Notes.: command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false).
Values: CMD
#
-# we don't enable PF automatically; to enable run pfctl -e
+# we don't enable PF automatically; to enable run pfctl -e
or add pf_enable="YES" to /etc/rc.conf (tested on FreeBSD)
also, these rulesets are loaded into (nested) anchors
to enable them, add as wildcard:
@@ -66,8 +102,7 @@ actioncheck = -sr | grep -q -
Values: CMD
#
-actionban = -t - -T add
+actionban = -t - -T add ; if [ "" != "true" ]; then pfctl -k ; fi
Option: actionunban
Notes.: command executed when unbanning an IP. Take care that the
@@ -84,7 +119,7 @@ actionunban = -t - -T delete
#
Use anchor as jailname to manipulate affected rulesets only.
If more parameter expected it can be extended with pf[pfctl="<known/pfctl> ..."]
-#
+#
pfctl = pfctl -a f2b/
[Init]
@@ -104,6 +139,10 @@ block = block quick
Notes.: internally used by config reader for interpolations.
#
+# If set to "{ tcp, udp, icmp, ipv6-icmp }", all protocols will be
+# taken care of. Similarly combination of protocols may be handled
+# in a similar manner.
+#
protocol = tcp
Option: actiontype
@@ -121,4 +160,3 @@ allports = any
Notes.: addition to block access only to specific ports
Usage.: use in jail config: "banaction = pf[actiontype=]"
diff --git a/config/action.d/pf.conf b/config/action.d/pf.conf index 933b4de014..e5a5d7652f 100644 --- a/config/action.d/pf.conf +++ b/config/action.d/pf.conf @@ -4,8 +4,44 @@ #
Author: Nick Hilliard nick@foobar.org
Modified by: Alexander Koeppe making PF work seamless and with IPv4 and IPv6
+# Further modified by: Zane C. Bowers-Hadley vvelox@vvelox.net to make it kill states for a IP so the +# ban takes affect as well as not handling multiple protocols. + +# WARNING WARNING WARNING WARNING WARNING +# WARNING WARNING WARNING WARNING WARNING +# WARNING WARNING WARNING WARNING WARNING +# +# This will kill any state for a banned IP. This will ensure the ban actually takes affect. +# This is need as pf has both the strenght and weakness that changes won't affect current +# states till it is forced to, but unfortunately the only way to make that take affect is +# to kil them. +# +# If some one wishes to fix that, this will requiring writing a tool to grab the session +# id for the item in question from 'pfctl -s state -vv'. +# +# This is especially important for stateless procols such as UDP as well as TCP protocols +# that are capable of processing multiple requests in a single session, such as HTTP2. +# +# If you wish to disable this, you need to set no_kill=true with an action. +# +# Example.. # +# [dovecot] +# enabled = true +# filter = dovecot +# action = pf[actiontype=,no_kill="true"]
#
+# The above will mean if some one hits the limit for dovecot, it won't automatically kill their
+# active states, such as maybe SSH.
+#
+# Where would be doing this be bad? Lets say you have a service using UDP. The attacker can keep it
+# up indefinitely as long they don't let up as UDP is stateless. Similarly with HTTP2, a attacker
+# can keep it going till the web server kills or they finish doing what ever they are doing. This is
+# especially true for a rule that triggers based on attempted data exfiltration.
+#
+# Basially you have the choice of maybe a potetional moment annoyance of having to restart a SSH
+# session or the like or potiential compromise as the pf table change was never allowed to take affect
+# as the states for that IP were never cleared.
[Definition]
@@ -13,7 +49,7 @@
Notes.: command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false).
Values: CMD
# -# we don't enable PF automatically; to enable run pfctl -e +# we don't enable PF automatically; to enable run pfctl -e
or add
pf_enable="YES"to /etc/rc.conf (tested on FreeBSD)also, these rulesets are loaded into (nested) anchors
to enable them, add as wildcard:
@@ -66,8 +102,7 @@ actioncheck = -sr | grep -q -
Values: CMD
# -actionban = -t - -T add
+actionban = -t - -T add ; if [ "" != "true" ]; then pfctl -k ; fi
Option: actionunban
Notes.: command executed when unbanning an IP. Take care that the
@@ -84,7 +119,7 @@ actionunban = -t - -T delete
#
Use anchor as jailname to manipulate affected rulesets only.
If more parameter expected it can be extended with
pf[pfctl="<known/pfctl> ..."]-# +# pfctl = pfctl -a f2b/
[Init] @@ -104,6 +139,10 @@ block = block quick
Notes.: internally used by config reader for interpolations.
Values: [ tcp | udp | icmp | ipv6-icmp ] Default: tcp
# +# If set to "{ tcp, udp, icmp, ipv6-icmp }", all protocols will be +# taken care of. Similarly combination of protocols may be handled +# in a similar manner. +# protocol = tcp
Option: actiontype
@@ -121,4 +160,3 @@ allports = any
Notes.: addition to block access only to specific ports
Usage.: use in jail config: "banaction = pf[actiontype=]"
multiport = any port $port