[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[elpa] externals/nftables-mode 34ffd618ac 19/41: fixup! Got the IPS work
From: |
Stefan Monnier |
Subject: |
[elpa] externals/nftables-mode 34ffd618ac 19/41: fixup! Got the IPS working at last (inc IPv6), mua ha ha! |
Date: |
Mon, 23 May 2022 09:27:23 -0400 (EDT) |
branch: externals/nftables-mode
commit 34ffd618ac0c46959005afbd16a0f70e2f579836
Author: Trent W. Buck <trentbuck@gmail.com>
Commit: Trent W. Buck <trentbuck@gmail.com>
fixup! Got the IPS working at last (inc IPv6), mua ha ha!
---
nftables-router.nft | 86 +++++++++++++++++++++++++++++++++++++++++++++++++++--
1 file changed, 83 insertions(+), 3 deletions(-)
diff --git a/nftables-router.nft b/nftables-router.nft
index c7c6f6d26b..2deb5b368d 100644
--- a/nftables-router.nft
+++ b/nftables-router.nft
@@ -334,6 +334,13 @@ table inet my_filter {
## An automated SSH (et al) brute-force blacklist.
##
+ ## The nominal goal is to nerf brute-force password guessing.
+ ## Since I disable password auth, the REAL goal is to reduce the
+ ## amount of spam in my SSH auth log.
+ ##
+ ## (Running SSH on a non-standard port would also work, but
+ ## I want to benefit from ISPs giving preferential QOS to 22/tcp).
+ ##
## 1. if you brute-force port X more than Y times/minute,
## you're blacklisted for Z minutes.
##
@@ -411,7 +418,7 @@ table inet my_filter {
chain my_IPS {
ct state != new return comment "Operate per-flow, not per-packet
(my_prologue guarantees this anyway)"
- iiftype != ppp return comment "IPS only protects against attacks
from the internet"
+ iiftype != ppp return comment "IPS only protects against attacks
from the internet"
# Track the rate of new connections (my_IPS_IPvX_meter).
# If someone (ip saddr) connects to a service (ip daddr . tcp dport)
too often,
@@ -429,7 +436,6 @@ table inet my_filter {
# In other words, once blacklisted for brute-forcing SSH, you REMAIN
blacklisted until you STFU for a while (on ALL ports).
ip saddr != @my_IPS_IPv4_whitelist ip saddr @my_IPS_IPv4_blacklist
update @my_IPS_IPv4_blacklist { ip saddr } drop
ip6 saddr != @my_IPS_IPv6_whitelist ip6 saddr @my_IPS_IPv6_blacklist
update @my_IPS_IPv6_blacklist { ip6 saddr } drop
-
}
set my_IPS_IPv4_meter { type ipv4_addr . ipv4_addr . inet_service;
timeout 10m; flags dynamic; }
set my_IPS_IPv6_meter { type ipv6_addr . ipv6_addr . inet_service;
timeout 10m; flags dynamic; }
@@ -437,7 +443,81 @@ table inet my_filter {
set my_IPS_IPv6_blacklist { type ipv6_addr; timeout 10m; }
set my_IPS_IPv4_whitelist { type ipv4_addr; timeout 10h; }
set my_IPS_IPv6_whitelist { type ipv6_addr; timeout 10h; }
- set my_IPS_TCP_ports { type inet_service; elements={ssh, telnet,
ftp}; }
+ set my_IPS_TCP_ports { type inet_service; elements={
+ ssh,
+ telnet, # we don't use it
+ ftp, ftps, # we don't use it
+ 3389, 5900, # we don't use it (VNC & RDP)
+ pop3, pop3s, imap, # we don't use it
+ microsoft-ds, # we don't use it (SMB)
+ mysql, postgresql, ms-sql-s, # we don't use it (from the
internet, without a VPN)
+ pptp, # we don't use it
+ login, # we don't use it
+ }; }
+ # CONSIDERED AND REJECTED FOR my_IPS_TCP_ports
+ # ============================================
+ #
+ # * http, https:
+ #
+ # HTTP/0.9 and HTTP/1.1 is one TCP connect per request.
+ #
+ # HTTP/1.1 has workarounds that still suck due to head-of-line blocking.
+ # https://en.wikipedia.org/wiki/HTTP_persistent_connection
+ # https://en.wikipedia.org/wiki/HTTP_pipelining
+ #
+ # HTTP/2 solves this fully, but is /de facto/ never used on port 80.
+ #
+ # The end result is that as at August 2019,
+ # GUI browsers still routinely burst many HTTP connections to a single
DST:DPT.
+ # This IPS only measures burstiness, so it can't work for HTTP/S.
+ #
+ # * imaps:
+ #
+ # If the server (and client) speak IMAP IDLE but not IMAP NOTIFY,
+ # the client will make ONE CONNECTION PER MAILBOX FOLDER.
+ # This looks very bursty, so the IPS can't do it's thing.
+ #
+ # See also:
+ # https://tools.ietf.org/html/rfc5465
+ # https://wiki2.dovecot.org/Plugins/PushNotification (??? -- different
RFC)
+ # https://bugzilla.mozilla.org/show_bug.cgi?id=479133 (tbird)
+ # https://blog.jcea.es/posts/20141011-thunderbird_notify.html
+ # https://en.wikipedia.org/wiki/JMAP (just ditch IMAP entirely)
+ #
+ # * smtp, submission:
+ #
+ # For smtp (25/tcp), can't do shit because we have to talk to
+ # whatever the fuck crackhead MTAs are out there.
+ #
+ # For submission, we could limit connection rate IFF we knew
+ # ALL STAFF were running an MSA that batched up the messages.
+ # We know that at least msmtp does not, so this is a no-go.
+ #
+ # (Consider a manager sending 4+ one-liner "yes" or "do it!"
+ # emails in a single minute. We might be able to mitigate this
+ # by matching on submission with a more forgiving burst limit,
+ # e.g. 1/min burst 10? Otherwise, we have to rate-limit in the
+ # postfix->dovecot SASL backend, or the dovecot->ad LDAP
+ # backend. UGH.)
+ #
+ # * msrpc:
+ #
+ # FIXME: wtf even. I don't want to read enough about this to
+ # know if it's reasonable to IPS it.
+ #
+ # * openvpn:
+ #
+ # Normally UDP, and we currently only IPS TCP.
+ # Normally cert-based (but can use PSKs).
+ # Might be worth considering if we do this later.
+ #
+ # * ident:
+ #
+ # I think when you irssi -c irc.oftc.net,
+ # OFTC tries to ident back to you?
+ # I don't want to accidentally block OFTC/Freenode.
+
+
# Allow all ICMPv6 is wrong (insecure);
# Deny all ICMPv6 is wrong (breaks IPv6).
- [elpa] externals/nftables-mode 109dfa382a 33/41: Remove "list ruleset" due to https://bugs.debian.org/982576, (continued)
- [elpa] externals/nftables-mode 109dfa382a 33/41: Remove "list ruleset" due to https://bugs.debian.org/982576, Stefan Monnier, 2022/05/23
- [elpa] externals/nftables-mode 7f924acbac 37/41: basic README for github, Stefan Monnier, 2022/05/23
- [elpa] externals/nftables-mode a207b02bd6 40/41: Lightly edited, adding some of the normal conventions for .el files, Stefan Monnier, 2022/05/23
- [elpa] externals/nftables-mode 1817c43fb9 02/41: Initial example nftables ruleset, Stefan Monnier, 2022/05/23
- [elpa] externals/nftables-mode 242fae1e71 11/41: limit ICMP by type, tweak notes, expand on iif vs iifname, document "flush table" gotcha, Stefan Monnier, 2022/05/23
- [elpa] externals/nftables-mode 794a6e6774 10/41: limit ICMP by type, tweak notes, expand on iif vs iifname, document "flush table" gotcha, Stefan Monnier, 2022/05/23
- [elpa] externals/nftables-mode 8fcd04379c 08/41: bugfix and tweak, Stefan Monnier, 2022/05/23
- [elpa] externals/nftables-mode f00cf640fb 15/41: nftables - glob gotcha; HOW to rename ifaces; gateway (-i/-o) policy; mail reputation protection, Stefan Monnier, 2022/05/23
- [elpa] externals/nftables-mode 6e908b1d67 17/41: Got the IPS working at last (inc IPv6), mua ha ha!, Stefan Monnier, 2022/05/23
- [elpa] externals/nftables-mode 16adfabcec 21/41: add reminder re IPv6 ranges for SSH IPS, Stefan Monnier, 2022/05/23
- [elpa] externals/nftables-mode 34ffd618ac 19/41: fixup! Got the IPS working at last (inc IPv6), mua ha ha!,
Stefan Monnier <=
- [elpa] externals/nftables-mode 166b789260 22/41: old comments, Stefan Monnier, 2022/05/23
- [elpa] externals/nftables-mode 9bc4a6f589 25/41: Don't do "flush ruleset" (i.e. expect auxiliary tables w/ race conditions), Stefan Monnier, 2022/05/23
- [elpa] externals/nftables-mode 94f54f52ec 28/41: reference nftables ruleset, Stefan Monnier, 2022/05/23
- [elpa] externals/nftables-mode 3fd8b3f79e 26/41: comment tweaks, Stefan Monnier, 2022/05/23
- [elpa] externals/nftables-mode 760486c219 27/41: update note from sshguard, Stefan Monnier, 2022/05/23
- [elpa] externals/nftables-mode 70b0e577a6 31/41: Debian doesn't have "pptp" in /etc/services, Stefan Monnier, 2022/05/23
- [elpa] externals/nftables-mode 20fa3d3a55 38/41: Oops, this was never under version control before., Stefan Monnier, 2022/05/23
- [elpa] externals/nftables-mode 869f14abf4 34/41: Initial import., Stefan Monnier, 2022/05/23
- [elpa] externals/nftables-mode 3a03651cda 39/41: Old changes that I forgot to commit, Stefan Monnier, 2022/05/23
- [elpa] externals/nftables-mode 7b031a2014 36/41: Merge remote-tracking branch 'ansible/master', Stefan Monnier, 2022/05/23