1

I get a lot of unwanted traffic from Chinese IP addresses. I'm using an old Mac with OS X 10.7.5 (my Mac is ancient, so I cannot update further), so I imagine it's more vulnerable than a newer Mac would be.

This page gave an excellent tutorial about how to use pfctl to detect sshd "attackers" who violate certain rules and add them to a blacklist. In my naive understanding, this applies only to sshd connections.

How can I generalize that tutorial to block other kinds of traffic as well? In particular, I have unwanted traffic involving sshd, sshd-keygen-wrapper, and screensharingd, though I'd love to block any traffic that has too many simultaneous connections or too many attempts within a certain amount of time.

jvriesem
  • 764

1 Answers1

2

You can simply replace:

table <attackers> persist
block log quick from <attackers>
pass in quick proto tcp from any port ssh flags S/SA keep state (max-src-conn 3, max-src-conn-rate 5/60, overload <attackers> flush global)

with:

table <attackers> persist
block log quick from <attackers>
pass in quick proto tcp from any flags S/SA keep state (max-src-conn 3, max-src-conn-rate 5/60,  overload <attackers> flush global)

If you want to restrict this to single ports use: ... port {22, 443, 5900:5902} ... instead of ... port ssh ....

klanomath
  • 66,391
  • 9
  • 130
  • 201
  • Is this essentially what Little Snitch does? – jvriesem May 01 '17 at 18:24
  • 1
    @jvriesem No, LS does the opposite: it blocks outgoing requests based on apps (and decided by the user). pfctl blocks incoming requests (in the above example). – klanomath May 01 '17 at 18:26
  • Is there a general way to do this for incoming and outgoing...or is that a separate question? (thanks again!) – jvriesem May 01 '17 at 18:27
  • @jvriesem This is a separate question, yes. It can be done with pfctl but it's a real hassle compared to Little Snitch. – klanomath May 01 '17 at 18:29
  • 1
    @jvriesem At the moment you can get LS for ~$10, but it's a bit complicated and some basic knowledge of the German language is required. You have to buy a german PDF for 8,95 € which entitles you to register LS and some other macOS apps for free with your email address. – klanomath May 01 '17 at 18:34
  • 1
    @jvriesem How to Use Terminal for “Little Snitch” Functionality without Little Snitch. My answer there is a simple example with http/https traffic and some domains only. If you want to block outgoing traffic for more apps (=ports) profound knowledge of the ports used and the external sites targeted is required and the org.user.block.out gets really large and confusingly complex (unübersichtlich is a better German word with no direct English translation). – klanomath May 01 '17 at 18:46