Hi !

Like many servers with an open SSH port on the Internet, there are always people/systems wanting to successfully connect. There are of course a whole bunch of possible security measures but I will talk here about a solution which has the merit of being able to apply to SSH and more if necessary.

In this case it is the “Host IDS” named “ossec”. First, let’s install it on OpenBSD (easy thing, it’s in the packages).

$ doas pkg_add ossec-hids

Then let’s configure the “active defense” part. Basic configuration files are not made to support “pf”, let’s fix that. Simply take the “firewall-drop.sh” file and point it to the script capable of handling “pf”. We will start by renaming the original file in place in order to keep it then make a symbolic link of the file “pf.sh” -> “firewall-drop.sh”

# cd /usr/local/ossec-hids/active-response/bin/
# mv firewall-drop.sh iptables.sh
# ln -s pf.sh firewall-drop.sh

If we look at the content of “pf.sh”, we can see that it uses a table (in the sense of the firewall) named “ossec_fwtable”. Let’s define it in the “/etc/pf.conf” file.

persist table <ossec_fwtable>

Now let’s modify the active defense mode activation rules.

If we look at the basic configuration “/usr/local/ossec-hids/rules/sshd_rules.xml”, we note:

<active-response>
     <!-- Firewall Drop response. Block the IP for
        - 600 seconds on the firewall (iptables,
        - ipfilter, etc.).
       -->
     <command>firewall-drop</command>
     <location>local</location>
     <level>6</level>
     <timeout>600</timeout>
</active-response>

Which basically amounts to saying that a level 6 rule must be reached for “firewall-drop.sh” to be executed and this for a blocking period of 600 seconds.

Now let’s check two things:

1. How things are logged in OpenBSD’s “auth.log” file ? Here is an excerpt from the file:

Nov 19 10:00:41 foo sshd[19571]: Invalid user dev from x.y.z.t port 56464

2. Which rule to use in “/usr/local/ossec-hids/rules/sshd_rules.xml” file

So the rule I’m interested in is:

<rule id="5710" level="5">
     <if_sid>5700</if_sid>
     <match>illegal user|invalid user</match>
     <description>Attempt to login using a non-existent user</description>
     <group>invalid_login,authentication_failed,</group>
</rule>

The rule has the number “5710” and a criticality of 5 which will not necessarily interest us since it was indicated above that it was necessary to have a level of at least 6 for “firewall-drop.sh” is executed.

As it would not be a good thing to modify the basic provided files, let’s rather modify the “local_rules.xml” file which is precisely used to implement local modifications.

• The new rule will have the number 100100;
• Its criticality is 7 (higher than what is requested for “firewall-drop.sh”);
• It applies if twice the rule number 5710 is used in a period of 180 seconds for the same IP address.

Now we still have to reload the firewall (you know how to do it) then launch “ossec”

# rcctl restart ossec_hids

Cheers