pf, which originated from the OpenBSD project, is easily one of the most elegant firewalling solutions I’ve ever come across. Check this example out. I was getting pretty tired of all the SSH dictionary-type attacks on our new box - a problem compounded by the fact that we’re running various jails and so multiple instances of sshd - and so I looked for an easy way to stop this. The obvious solution is to move sshd off port 22, but I couldn’t be bothered with the user education for this to happen. Another option is to use something like DenyHosts, but as that has its own history of security invulnerabilities I decided against that as well.

Enter pf, and a trivial rule such as this:

pass in on $ext_if inet proto tcp from any to { $fork, <jails> } port ssh \
flags S/SA keep state (max-src-conn 15, max-src-conn-rate 5/40, \
overload <bruteforce> flush global)

So we have a table called ‘jails’ which contains a list of IP addresses for each hosted jail, and a persistent tabled called ‘bruteforce’. SSH to port 22 is allowed, however if there are more than 15 connection from one source, or if the connection rate exceeds 5 every 40 seconds, they’re stuck into the ‘bruteforce’ table. And right at the top, we have:

block quick from <bruteforce>

So they’re instantly blocked and tracked for future reference. A few days later…..

$ sudo pfctl -t bruteforce -Tshow | wc -l
130

So 130 IP addresses caught and tracked. Nice.

We’re now 95% live with the new hosting arrangement. Everything is sat on a not-so-shiny IBM x330 which is a dual 1.3GHz P3, 1GB of ECC RAM, 400GB of mirrored storage, and FreeBSD 6. I’ve migrated across pretty much all of the e-mail setup, some people’s websites, and of course my own personal stuff - which includes me using lighttpd instead of Apache httpd within my jail, and it’s a hell of a lot faster. The bandwidth and dedicated server performance helps matters as well though :)

Moving forward I’ll probably set up a mailing list so that people hosted on this new box can be easily notified of any work / outages, and I’ve been threatening to resurrect the old freebsd.cx website as I know you can import old PHPNuke sites into WordPress…

So the glue for most of the domains that I host (freebsd.cx and dischord.org mainly) has come unstuck (lolz) thanks to the IP addresses for both the primary and secondary authoritive nameservers for these domains being wrong. The IP for the primary changed on Sunday and while the secondary should have been be fine, the address that netdns.cx hold for ns2 is incorrect (don’t ask). Hence, no DNS.

I’ve got something working now - for dischord.org at least, freebsd.cx will be shagged for a while longer - so it should settle down a bit. I need to update the addresses for ns.freebsd.cx and ns2.freebsd.cx only netdns.cx have changed their website again, and my login details don’t work. It tries to mail a new password to my nick(at)freebsd.cx account but as there’s no DNS for that domain it’s something of a chicken and egg situation. Of course, netdns’s helpdesk service is shit and might take up to a week to respond :(

* UPDATE

I ended up calling netdns.cx (out in Christmas Island) at 3am on Thursday morning and asking if they could sort this out. They did, and so freebsd.cx now has authoritive nameservers again.

While I think about what to do in terms of sorting a portfolio site for my photography - which might take a while considering I’ve still no broadband where I’m living - I’ve started uploading my newer photographs to Flickr. Additionally I’ve amended the bottom bar to display the latest pictures from my Flickr feed, so you’ll see the last 9 pictures down there which currently include some photos of These Arms Are Snakes and Trencher.