pf, which originated from the OpenBSD project, is easily one of the most elegant firewalling solutions I’ve ever come across. Check this example out. I was getting pretty tired of all the SSH dictionary-type attacks on our new box - a problem compounded by the fact that we’re running various jails and so multiple instances of sshd - and so I looked for an easy way to stop this. The obvious solution is to move sshd off port 22, but I couldn’t be bothered with the user education for this to happen. Another option is to use something like DenyHosts, but as that has its own history of security invulnerabilities I decided against that as well.

Enter pf, and a trivial rule such as this:

pass in on $ext_if inet proto tcp from any to { $fork, <jails> } port ssh \
flags S/SA keep state (max-src-conn 15, max-src-conn-rate 5/40, \
overload <bruteforce> flush global)

So we have a table called ‘jails’ which contains a list of IP addresses for each hosted jail, and a persistent tabled called ‘bruteforce’. SSH to port 22 is allowed, however if there are more than 15 connection from one source, or if the connection rate exceeds 5 every 40 seconds, they’re stuck into the ‘bruteforce’ table. And right at the top, we have:

block quick from <bruteforce>

So they’re instantly blocked and tracked for future reference. A few days later…..

$ sudo pfctl -t bruteforce -Tshow | wc -l
130

So 130 IP addresses caught and tracked. Nice.

We’re now 95% live with the new hosting arrangement. Everything is sat on a not-so-shiny IBM x330 which is a dual 1.3GHz P3, 1GB of ECC RAM, 400GB of mirrored storage, and FreeBSD 6. I’ve migrated across pretty much all of the e-mail setup, some people’s websites, and of course my own personal stuff - which includes me using lighttpd instead of Apache httpd within my jail, and it’s a hell of a lot faster. The bandwidth and dedicated server performance helps matters as well though :)

Moving forward I’ll probably set up a mailing list so that people hosted on this new box can be easily notified of any work / outages, and I’ve been threatening to resurrect the old freebsd.cx website as I know you can import old PHPNuke sites into WordPress…

So the glue for most of the domains that I host (freebsd.cx and dischord.org mainly) has come unstuck (lolz) thanks to the IP addresses for both the primary and secondary authoritive nameservers for these domains being wrong. The IP for the primary changed on Sunday and while the secondary should have been be fine, the address that netdns.cx hold for ns2 is incorrect (don’t ask). Hence, no DNS.

I’ve got something working now - for dischord.org at least, freebsd.cx will be shagged for a while longer - so it should settle down a bit. I need to update the addresses for ns.freebsd.cx and ns2.freebsd.cx only netdns.cx have changed their website again, and my login details don’t work. It tries to mail a new password to my nick(at)freebsd.cx account but as there’s no DNS for that domain it’s something of a chicken and egg situation. Of course, netdns’s helpdesk service is shit and might take up to a week to respond :(

* UPDATE

I ended up calling netdns.cx (out in Christmas Island) at 3am on Thursday morning and asking if they could sort this out. They did, and so freebsd.cx now has authoritive nameservers again.

The new Santa Rosa equipped Apple laptops can’t come quick enough for me really (click for big):

I’m hoping that it’s a one-off, but as that’s the first time I’ve seen that happen in the 18 months I’ve owned the laptop it’s probably a sign of impending doom. Time to take advantage of my Applecare warranty….

Pelican (and These Arms Are Snakes) last night were pretty good, although I missed the first half of TAAS’ set - thanks to walking miles in the wrong direction - but as I’ve seen them before I wasn’t too bothered. Pelican sounded awesome live, they played a good set which I enjoyed whilst throwing pints of Grolsch down my neck.

What wasn’t much fun was finding out that Bank was in fact shut just as we cruised through it on the tube. In my inebriated state I missed the next stop and so had to trek halfway across London via two other stations whilst busting for a piss. Fletch will probably say that’s my own fault though for living out in t’sticks…

10:08 <fletch> Acton!!!
10:08 <fletch> get that!
10:09 <fletch> Zone 78
10:09 <fletch> takes a week to get there by mule