- edited description
Terminate existing connections when using pf backend
Issue #17
resolved
If an attacker has an open connection to the target machine, this connection persists despite being added to the PF sshguard table (which blocks new connections). In the case of services that repeatedly respond to requests, this allows an attacker to continue indefinitely. This behavior observed with saslauthd on FreeBSD 9.3.
The fix is to use the -k switch to pfctl which causes any existing connections to be terminated. This requires two changes to src/fwalls/command_pf.h:
- add -k to COMMAND_BLOCK
- disable COMMAND_BLOCK_LIST (because -k takes only 1 argument)
Example:
- pfctl -k 127.0.0.5 -Tadd -t sshguard 127.0.0.5
--- src/fwalls/command_pf.h.orig 2014-10-10 13:26:40.426551874 -0700
+++ src/fwalls/command_pf.h 2014-10-10 13:31:46.977546696 -0700
@@ -39,3 +39,3 @@
*/
-#define COMMAND_BLOCK PFCTL_PATH "/pfctl -Tadd -t sshguard $SSHG_ADDR"
+#define COMMAND_BLOCK PFCTL_PATH "/pfctl -k $SSHG_ADDR -Tadd -t sshguard $SSHG_ADDR"
@@ -47,3 +47,3 @@
*/
-#define COMMAND_BLOCK_LIST PFCTL_PATH "/pfctl -Tadd -t sshguard `echo $SSHG_ADDR | tr ',' ' '`"
+#define DISABLED_COMMAND_BLOCK_LIST PFCTL_PATH "/pfctl -Tadd -t sshguard `echo $SSHG_ADDR | tr ',' ' '`"
Comments (4)
-
reporter
-
reporter
- edited description
-
- changed title to Terminate existing connections when using pf backend
-
assigned issue to
Kevin Zheng
Good call; I've observed this behavior but didn't know how to fix it.
-
- changed status to resolved
Fixed in 9b174ac, thanks!
- Log in to comment
