aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--host_vars/vultr6
-rw-r--r--roles/security/tasks/main.yml1
-rw-r--r--roles/security/templates/pf.conf.j240
3 files changed, 27 insertions, 20 deletions
diff --git a/host_vars/vultr b/host_vars/vultr
index f6220ef..914a4d5 100644
--- a/host_vars/vultr
+++ b/host_vars/vultr
@@ -16,6 +16,12 @@ network:
address: 2001:19f0:5:3166::c0f:fee
prefixlen: 64
+pf:
+ # number of simulataneous connections allowed from one host
+ max_conn: 100
+ # rate of new connections allowed from one host
+ max_conn_rate: 15/5 # 15 of connections per 5 seconds
+
domains:
- name: liwt.net
# sub-domains for which to request certificates
diff --git a/roles/security/tasks/main.yml b/roles/security/tasks/main.yml
index 08780a5..62c1ac5 100644
--- a/roles/security/tasks/main.yml
+++ b/roles/security/tasks/main.yml
@@ -5,6 +5,7 @@
dest: /etc/pf.conf
validate: "pfctl -nf %s"
notify: reload-pf
+ tags: pf-rules
- name: firewall - enable PF
command: rcenable pf
diff --git a/roles/security/templates/pf.conf.j2 b/roles/security/templates/pf.conf.j2
index eb7be08..01d6d12 100644
--- a/roles/security/templates/pf.conf.j2
+++ b/roles/security/templates/pf.conf.j2
@@ -326,34 +326,34 @@ block log quick from <bruteforce>
block drop in quick on $ext_if proto { tcp, udp } from any to any \
port { netbios-ns, netbios-dgm, netbios-ssn, microsoft-ds, nfsd }
-# Use overload tables to protect restrictive services (e.g., SSH)
+# Use overload table(s) to protect restrictive services (e.g., SSH)
+# against brute force attacks.
#
-# * max-src-conn :
+# * max-src-conn n:
# number of simultaneous connections allowed from one host
-# * max-src-conn-rate :
+# * max-src-conn-rate n/m:
# rate of new connections allowed from any single host
-# per number of seconds (here: 4 connections every 30 seconds).
-# * overload <bruteforce> :
+# per number of seconds (n connections every m seconds).
+# * overload <bruteforce>:
# any host which exceeds these limits gets its address added to
# the "bruteforce" table.
-# * flush global :
-# when a host reaches the limit, that all (global) of that host's
-# connections will be terminated (flush).
+# * flush global:
+# when a host reaches the limit, then all its connections are
+# terminated (flush).
+#
+# Credit: https://home.nuug.no/~peter/pf/en/bruteforce.html
#
# NOTE:
-# Over time, tables will be filled by overload rules and their size
-# will grow incrementally, taking up more memory. Sometimes an IP
-# address that is blocked is a dynamically assigned one, which has
-# since been assigned to a host who has a legitimate reason to communicate
-# with hosts. Therefore, the expired entries should get flushed,
-# e.g., this command will remove "bruteforce" table entries which
-# have not been referenced for 86400 seconds (i.e., 1 day):
-# pfctl -t bruteforce -T expire 86400
-# It is convenient to add such clean command to root's cron table.
-#
-pass in on $ext_if proto tcp to ($ext_if) port $in_tcp_services_restricted \
+# The "bruteforce" table needs periodic cleanups to remove the expired
+# entries (e.g., dynamically allocated IPs). A good choice is to add
+# a cron task for root, e.g.,
+# @hourly pfctl -t bruteforce -T expire 86400
+#
+pass in on $ext_if proto tcp to ($ext_if) \
+ port $in_tcp_services_restricted \
flags S/SA keep state \
- (max-src-conn 8, max-src-conn-rate 4/30, \
+ (max-src-conn {{ pf.max_conn }}, \
+ max-src-conn-rate {{ pf.max_conn_rate }}, \
overload <bruteforce> flush global)
# Pass traffic for allowed non-restricted services