OpenBSD Protection - Part 2

It's been almost 24 hours since I put up the scan protection mentioned in the last article, and I've already blocked a scanner!

But having a look at it all, it's not a very good solution. Problems are:

1. Scanning is resource intensive. It put quite a notable load spike on the system when ever it ran, and that can be expected from shell scripts scanning log files.
   
2. Not granular enough. I was initially running the script every 5 minutes. And as luck would have it, the kiddie I caught started his scan at 15:24:05. If he had started his scan a minute later, there's a good chance I would not have picked it up. In the minute that his scan was allowed to run, he had already managed 97 connections!
   
3. Limited to single machine. As I'm getting all my info from ssh logs, and I'm blocking the packets coming in to the exposed host, when the do trip the wire I only end up protecting a single machine.

To get around these problems, I've decided to make use of the rate limiting features of pf in OpenBSD. I have a dedicated machine protecting my network and doing all my external routing. By putting the monitoring and blocking at this level, as soon as I pick up a scan I can block traffic from that IP address to my entire network.

To do this, I simply added the following rules to my pf.conf:

table <bad_hosts> persist file "/var/log/bad_hosts.list"
block quick from <bad_hosts>
pass in on tun0 proto tcp to (my IP address) port ssh flags S/SA keep state (max-src-conn-rate 5/10, overload <bad_hosts> flush)

Note that I load the bad IP addresses on start up from a file. To keep the file up to date, I run pfctl -t bad_hosts -Tshow > /var/log/bad_hosts.list every hour via cron.

Let's see how this works for the next few days. The next quest will be to automatically file an abuse report for the IP address once you pick it up...