Block if X connections to a port in time frame



  • Is it possible to somehow block an IP address if it makes too many attempts to 'connect' to a port i.e. 25.

    Our mailserver (Kerio) is OK but it will happily let connections do brute force type attacks - why can't it do something like our firewall - i.e 10 tries then kick and ban.

    Well it can't so can I replicate this in pFSense somehow - been playing but it seems not.

    I've had a connection in Brazil thats been trying for 6 hours to log into our mail server that I have now blocked manually but it would be real nice if I could do this automatically. The culprit was trying 4 or five passwords per second.


  • Rebel Alliance

    Have you tried/played with this/or any other Firewall Rule Advanced Option ?




  • You can limit the connection attempts from a single IP through Firewall > Rules > edit rule > Advanced features > Advanced Options.

    If it's only the mail server you're worried about, I would definitely recommend installing the Postfix Forwarder package on pfSense.

    I had the same problem with MailEnable.  Now the mail server's logs are really boring.



  • I'll have a play with both. I had looked at the postfix forwarder but the description seemed to relate only to forwarding - but how does it respond to 'hammering' or brute force type attacks - I'm assuming that it will still respond to each and every request.

    The best possible 'password' system is one that doesn't provide any response whether you are correct or not. a password module that simply says - no try again indefinitely is very poor in my opinion. My Mail server will block a valid user if the password is wrong too often but will happily respond 'nope user doesn't exist' …


  • Banned

    @BenKenobe:

    The best possible 'password' system is one that doesn't provide any response whether you are correct or not.

    Sorry, this breaks relevant RFCs heavily. You'll break and lose your mail. Get the mailserver fixed so that it limits the number of failed attempts, or get a better mailserver or proxy it.



  • @BenKenobe:

    I had looked at the postfix forwarder but the description seemed to relate only to forwarding - but how does it respond to 'hammering' or brute force type attacks - I'm assuming that it will still respond to each and every request.

    Postfix stopped the "hammering" problem for me - as well as the bots.  You would have to read through the voluminous Postfix documentation to get a good feel for exactly how it achieves that but a few things that have made a huge difference for me are:

    • Ability to suck up hundreds of connections and calmly deal with them - your mail server never gets to see them.

    • Greylisting - "Sorry, I'm busy now. Come back later" - which they never do.

    • Enforcing strict SMTP protocol adherence.

    • Reverse DNS checking

    You can add spam filters and block lists to the package but I haven't had to bother with those yet.


  • Banned

    I also need to do something about brute force spammers on port 25. Looks like PostFix is no long an option in the available packages with release 2.3.1. The question I have with the other suggestion of using the advanced options is where and how long does the IP get blocked?



  • Hi,

    perhaps snort can help you if it detects brute-force attacks on this port and then blocks the "attacker" for a specific time.
    Having a short look at google gave me this thread. Perhaps it will help you:

    https://forum.pfsense.org/index.php?topic=72632.0

    Regards


Log in to reply