1. 3
    1. 1

      I think the abstract egress interface-group may not exist so you’d have to specify the interface directly (either inline or as a macro)

      Or define the group in your interface config:

      ifconfig_em1="SYNCDHCP group egress"

      I have groups for all my interfaces so I don’t have to hardcode anything in pf.conf.

    2. 1

      Why do people insist on running sshd on an unprivileged port when it is obviously a bad idea

      1. 5

        How is an unprivileged user going to get the server ssh key to match the fingerprint probe? /etc/sshd/ is restricted to the root or sshd user on every linux distro I’ve used.

        1. 1

          sshfp would be my recommendation there. https://en.wikipedia.org/wiki/SSHFP_record unless I’m misunderstanding what you’re asking exactly regarding the server fingerprint. Shunting it to dns seems the best option.

          As to the article, I block by country, and have a rate limiter and also just setup a cronjob of the following to scan my authlogs and add to the same rate limited bruteforcers pf table. (I expire entries after a month or so just to keep memory usage down).

          Yeah yeah I know there are things that do this, this took all of 5 minutes to program and only a bit more to debug.

          #!/usr/bin/env sh
          set -e
          grep -Ev '(10.10.10||mitch|Accepted|disconnected by user)' /var/log/authlog | perl -ne 'if ($_ =~ m/(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/) { print $& . "\n"; }' | sort -u | xargs -n 2000 pfctl -t bruteforce -T add
          for x in $(pfctl -t bruteforce -T show | grep 10.10.10); do
            pfctl -t bruteforce -T delete ${x}
          pfctl -t bruteforce -T delete $(ifconfig em0| grep inet | grep -Ev prefixlen| awk '{print $2}')

          Its not pretty but it works, and means I can keep ssh on its normal port. I only allow ssh keys anyway so its not like its doing much more than keeping my logs clean really. Theres a few things i could improve too like the grep | grep by throwing it all into awk but eh, its such a minor nit i don’t care much. The last bits are there just in case anything on my internal subnet or the host itself ever found itself on the blocked table. YMMV this is mostly just a log cleaner more than anything.

          1. 2

            I think you misunderstood me. I’m saying that an attacker on the same machine can’t spoof or MITM my ssh daemon because it doesn’t have the right key. So running sshd on an unprivileged port is probably okay.

            I don’t bother with any of this on my machines. I just disallow password login and ignore the logs.

            1. 1

              Ah yeah I’m not worried about spoofing or mitm on my own machine. If I was worried about that I would have far bigger problems relating to multiple personalities. My misunderstanding then.

              I just like to keep the logs a bit trimmer. Waste of space with tons of failed login messages for pi/root/oracle/etc.. in my opinion. Also its rather amusing at what gets attempted for logins.

      2. 1

        You can bind sshd on multiple ports and block 22 on your firewall.