Blocking the Lamerz

After setting up a test server and getting it online I noticed some unwanted guests trying to gain access to the root account. From the logfile /var/log/authlog:

Jun 12 10:15:27 sshd[92881]: Disconnected from authenticating user root 188.226.202.13 port 36477 [preauth]
Jun 12 10:16:37 sshd[30913]: Failed password for root from 121.66.224.90 port 45994 ssh2
Jun 12 10:16:38 sshd[30913]: Received disconnect from 121.66.224.90 port 45994:11: Bye Bye [preauth]
Jun 12 10:16:38 sshd[30913]: Disconnected from authenticating user root 121.66.224.90 port 45994 [preauth]
Jun 12 10:18:16 sshd[38068]: Invalid user qqding from 188.35.187.50 port 58726
Jun 12 10:18:16 sshd[38068]: Failed password for invalid user qqding from 188.35.187.50 port 58726 ssh2
Jun 12 10:18:16 sshd[38068]: Received disconnect from 188.35.187.50 port 58726:11: Bye Bye [preauth]
Jun 12 10:18:16 sshd[38068]: Disconnected from invalid user qqding 188.35.187.50 port 58726 [preauth]
Jun 12 10:18:27 sshd[48451]: Failed password for root from 145.239.72.142 port 57066 ssh2
Jun 12 10:18:28 sshd[48451]: Received disconnect from 145.239.72.142 port 57066:11: Bye Bye [preauth]
Jun 12 10:18:28 sshd[48451]: Disconnected from authenticating user root 145.239.72.142 port 57066 [preauth]
Jun 12 10:18:34 sshd[12756]: Failed password for root from 181.30.99.114 port 55752 ssh2
Jun 12 10:18:35 sshd[12756]: Received disconnect from 181.30.99.114 port 55752:11: Bye Bye [preauth]
Jun 12 10:18:35 sshd[12756]: Disconnected from authenticating user root 181.30.99.114 port 55752 [preauth]
Jun 12 10:18:56 sshd[76176]: Invalid user admin from 188.226.202.13 port 65405
Jun 12 10:18:56 sshd[76176]: Failed password for invalid user admin from 188.226.202.13 port 65405 ssh2

...etc, etc. As we can see not only is a bruteforce attempt being made against the root account, but the same is being tried against other usernames. While strong passwords are one such defense against these attacks, I'd like to make sure the IP can never log in again. Luckily the distro I'm using comes with a tool installed and enabled by default called the Packet Filter. From the man page:

Packet filtering takes place in the kernel.  A pseudo-device, /dev/pf,
allows userland processes to control the behavior of the packet filter
through an ioctl(2) interface.  There are commands to enable and disable
the filter, load rulesets, add and remove individual rules or state table
entries, and retrieve statistics.  The most commonly used functions are
covered by pfctl(8).

The Packet Filter (or "PF") has its configuration file located at /etc/pf.conf. By adding a couple of lines we can create a new database table to PF & give it a rule to block any IP addresses.

table <lamerz> persist file "/etc/lamerz"
block in from <lamerz>

Here we've created the table named "lamerz" from a file in our /etc directory then told PF to block all inbound traffic from addresses in that file. Next we can quickly create the file...

touch /etc/lamerz

Now with our file created and ruleset established all that's left is to add addresses! This can be done with the "pfctl" tool. From pfctl's man:

The pfctl utility communicates with the packet filter device using the
ioctl interface described in pf(4).  It allows ruleset and parameter
configuration, and retrieval of status information from the packet
filter.  Packet filtering restricts the types of packets that pass
through network interfaces entering or leaving the host based on filter
rules as described in pf.conf(5).  The packet filter can also replace
addresses and ports of packets.

The command pfctl would use to add a ip address to the database table would be:

pfctl -t lamerz -T add 145.239.72.142

Our "t" flag is used to specify the table to use, then the capital "T" flag specifies the command. In this case adding an entry. Although this does NOT add the IP address to the file in our /etc directory. A different command used with the "T" flag, plus some redirection would accomplish this.