Friday, May 29, 2020

Re: Restore pf tables metadata after a reboot

On 29.05., Walter Alejandro Iglesias wrote:
> In article <20200528165448.GA22166@flueckiger.lan> Bruno Flueckiger <inform.me@gmx.net> wrote:
> > On 26.05., Walter Alejandro Iglesias wrote:
> > > I understand that this command:
> > >
> > > # pfctl -t spam -T expire <seconds>
> > >
> > > Takes in care the "Cleared" date:
> > >
> > > # pfctl -t spam -vT show
> > > ___.___.22.65
> > > Cleared: Mon May 25 16:10:22 2020
> > > ___.___.167.62
> > > Cleared: Mon May 25 16:10:22 2020
> > > [...]
> > >
> > > Is there a way to save and restore tables metadata after a reboot
> > > preserving those dates?
> > >
> >
> > You can save the list of IPs in a table and reload it after a reboot as
> > described here: https://www.bsdhowto.ch/savepftables.html
>
> Nice website. ;-)
>

Thanks :-)

> >
> > As there is no way to save the dates the date for each IP will be set to
> > the current date and time when load happens.
>
> The interesting point and the reason of my concern is to choose a
> convenient "expire time." With mail is problematic but with ssh, since
> I know exactly whom I want to allow external access (just me,) I let
> them accumulate. I block ssh attackers in the ssh port only, people
> sharing those addresses are not affected. So, I thought, the only
> concern in the ssh case was how much a big number of entries could
> affect pf performance, till at some point my tables reached the memory
> hard limit and I had to remove IPs arbitrarily. :-)
>

Well, I use my system in production. Therefore I prefer to be on the
safe side and remove old entries from my block tables rather than
risking instabilities or performance penalties.

> In summary, pfctl expire command does nothing after a reboot. Then you
> have two options:
>
> - To use a (cron) expire time significantly lower than the desirable.
>
> - To expire entries when your tables are about to reach the memory
> hard limit.
>
> In both cases you'll probably suffer spam again from IPs that were
> already blocked.
>

What is a desirable expire time for blocked IPs in your view?

For SSH I don't care how many times an attacker tries it. As soon as the
IP is in the blocking table I don't even get log entries for it.

In case of SMTP I don't rely solely on IP blocking to fight spam. The
blocking only kicks in if there are too many simultaneous connections
comming from the same IP.

Cheers,
Bruno

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)