diff options
-rw-r--r-- | host_vars/vultr | 6 | ||||
-rw-r--r-- | roles/security/tasks/main.yml | 1 | ||||
-rw-r--r-- | roles/security/templates/pf.conf.j2 | 40 |
3 files changed, 27 insertions, 20 deletions
diff --git a/host_vars/vultr b/host_vars/vultr index f6220ef..914a4d5 100644 --- a/host_vars/vultr +++ b/host_vars/vultr @@ -16,6 +16,12 @@ network: address: 2001:19f0:5:3166::c0f:fee prefixlen: 64 +pf: + # number of simulataneous connections allowed from one host + max_conn: 100 + # rate of new connections allowed from one host + max_conn_rate: 15/5 # 15 of connections per 5 seconds + domains: - name: liwt.net # sub-domains for which to request certificates diff --git a/roles/security/tasks/main.yml b/roles/security/tasks/main.yml index 08780a5..62c1ac5 100644 --- a/roles/security/tasks/main.yml +++ b/roles/security/tasks/main.yml @@ -5,6 +5,7 @@ dest: /etc/pf.conf validate: "pfctl -nf %s" notify: reload-pf + tags: pf-rules - name: firewall - enable PF command: rcenable pf diff --git a/roles/security/templates/pf.conf.j2 b/roles/security/templates/pf.conf.j2 index eb7be08..01d6d12 100644 --- a/roles/security/templates/pf.conf.j2 +++ b/roles/security/templates/pf.conf.j2 @@ -326,34 +326,34 @@ block log quick from <bruteforce> block drop in quick on $ext_if proto { tcp, udp } from any to any \ port { netbios-ns, netbios-dgm, netbios-ssn, microsoft-ds, nfsd } -# Use overload tables to protect restrictive services (e.g., SSH) +# Use overload table(s) to protect restrictive services (e.g., SSH) +# against brute force attacks. # -# * max-src-conn : +# * max-src-conn n: # number of simultaneous connections allowed from one host -# * max-src-conn-rate : +# * max-src-conn-rate n/m: # rate of new connections allowed from any single host -# per number of seconds (here: 4 connections every 30 seconds). -# * overload <bruteforce> : +# per number of seconds (n connections every m seconds). +# * overload <bruteforce>: # any host which exceeds these limits gets its address added to # the "bruteforce" table. -# * flush global : -# when a host reaches the limit, that all (global) of that host's -# connections will be terminated (flush). +# * flush global: +# when a host reaches the limit, then all its connections are +# terminated (flush). +# +# Credit: https://home.nuug.no/~peter/pf/en/bruteforce.html # # NOTE: -# Over time, tables will be filled by overload rules and their size -# will grow incrementally, taking up more memory. Sometimes an IP -# address that is blocked is a dynamically assigned one, which has -# since been assigned to a host who has a legitimate reason to communicate -# with hosts. Therefore, the expired entries should get flushed, -# e.g., this command will remove "bruteforce" table entries which -# have not been referenced for 86400 seconds (i.e., 1 day): -# pfctl -t bruteforce -T expire 86400 -# It is convenient to add such clean command to root's cron table. -# -pass in on $ext_if proto tcp to ($ext_if) port $in_tcp_services_restricted \ +# The "bruteforce" table needs periodic cleanups to remove the expired +# entries (e.g., dynamically allocated IPs). A good choice is to add +# a cron task for root, e.g., +# @hourly pfctl -t bruteforce -T expire 86400 +# +pass in on $ext_if proto tcp to ($ext_if) \ + port $in_tcp_services_restricted \ flags S/SA keep state \ - (max-src-conn 8, max-src-conn-rate 4/30, \ + (max-src-conn {{ pf.max_conn }}, \ + max-src-conn-rate {{ pf.max_conn_rate }}, \ overload <bruteforce> flush global) # Pass traffic for allowed non-restricted services |