Terminate existing connections when using pf backend

Create issue
Issue #17 resolved
johnv created an issue

If an attacker has an open connection to the target machine, this connection persists despite being added to the PF sshguard table (which blocks new connections). In the case of services that repeatedly respond to requests, this allows an attacker to continue indefinitely. This behavior observed with saslauthd on FreeBSD 9.3.

The fix is to use the -k switch to pfctl which causes any existing connections to be terminated. This requires two changes to src/fwalls/command_pf.h:

  1. add -k to COMMAND_BLOCK
  2. disable COMMAND_BLOCK_LIST (because -k takes only 1 argument)

Example:

  • pfctl -k 127.0.0.5 -Tadd -t sshguard 127.0.0.5
--- src/fwalls/command_pf.h.orig        2014-10-10 13:26:40.426551874 -0700
+++ src/fwalls/command_pf.h     2014-10-10 13:31:46.977546696 -0700
@@ -39,3 +39,3 @@
  */
-#define COMMAND_BLOCK       PFCTL_PATH "/pfctl -Tadd -t sshguard $SSHG_ADDR"
+#define COMMAND_BLOCK       PFCTL_PATH "/pfctl -k $SSHG_ADDR -Tadd -t sshguard $SSHG_ADDR"

@@ -47,3 +47,3 @@
  */
-#define COMMAND_BLOCK_LIST  PFCTL_PATH "/pfctl -Tadd -t sshguard `echo $SSHG_ADDR | tr ',' ' '`"
+#define DISABLED_COMMAND_BLOCK_LIST  PFCTL_PATH "/pfctl -Tadd -t sshguard `echo $SSHG_ADDR | tr ',' ' '`"

Comments (4)

  1. Log in to comment