FreeBSD

Block attacker IP addresses, four ways

If you run WordPress you’ve seen these in your web server logs:

132.232.46.230 - - [29/Oct/2020:13:58:41 -0500] "POST /xmlrpc.php HTTP/1.1" 200 259 "-" "Apache-HttpClient/4.5.2 (Java/1.8.0_151)" "-"
132.232.46.230 - - [29/Oct/2020:13:58:44 -0500] "POST /xmlrpc.php HTTP/1.1" 200 259 "-" "Apache-HttpClient/4.5.2 (Java/1.8.0_151)" "-"
132.232.46.230 - - [29/Oct/2020:13:58:48 -0500] "POST /xmlrpc.php HTTP/1.1" 200 259 "-" "Apache-HttpClient/4.5.2 (Java/1.8.0_151)" "-"
132.232.46.230 - - [29/Oct/2020:13:58:52 -0500] "POST /xmlrpc.php HTTP/1.1" 200 259 "-" "Apache-HttpClient/4.5.2 (Java/1.8.0_151)" "-"
132.232.46.230 - - [29/Oct/2020:13:58:55 -0500] "POST /xmlrpc.php HTTP/1.1" 200 259 "-" "Apache-HttpClient/4.5.2 (Java/1.8.0_151)" "-"
132.232.46.230 - - [29/Oct/2020:13:58:58 -0500] "POST /xmlrpc.php HTTP/1.1" 200 259 "-" "Apache-HttpClient/4.5.2 (Java/1.8.0_151)" "-"


Fucken scanners just slamming xmlrpc.php looking for a way in. When this happens CPU usage just goes through the roof for as long as the scan lasts and it could be five minutes, could be six hours, could be all week; before it ends. The gods help you if you’re paying by CPU usage.

So you have to block access to the file. You could just block all access to XML-RPC but doing this will prevent the WP mobile app from working.

We’ll just block that specific IP address but we need to be quick about it; just do a quick one liner on the terminal before the OS just topples over and becomes completely unresponsive or worse.

iptables

This should work for any Linux distribution that has iptables out of the box which is basically all of them.

# iptables -I INPUT -s 132.232.46.230 -j DROP

• -I: Insert the rule as the first rule to be applied in the INPUT chain. You could use -A (append) but the sooner we get rid of that traffic the less work the CPU has to do.
• -s: Source address, in this case 132.232.46.230, which belongs to Tencent.
• -j: jump to the DROP target. If you use the REJECT target you’re just creating more work for the CPU.

Documentation here but the Ubuntu how-to is far more useful in getting people started.

pf

As it is part of both FreeBSD and OpenBSD base installations it should be enabled in /etc/rc.conf but from reading the (almost useless) documentation and looking around the web You need to fuck around with pf.conf first, then you can manipulate the table. This is the first result on the web when you search for “pf block ip address”. So no one-liner that can save your life.

Edit /etc/pf.conf and add

table <badhosts> persist
block on fxp0 from <badhosts> to any

• Create table named badhosts, and set it to be persistent in kernel memory
• Block, on interface fxp0 (you’ll want to change this), traffic from rules in the badhosts table to any destination.

Once you have this you can manipulate the table from the command line with pfctl

# pfctl -t badhosts -T add 132.232.46.230

• -t means pfctl will manipulate the badhosts table
• -T will show statistics
• add address 132.232.46.230 to the table

Fucken hell FreeBSD documentation is the fucken worst. Dryer than Melania Trump’s libido. Now, reading through the OpenBSD pf documentation it looks like you can do

# pfctl -t badhosts -T add 203.0.113.0/24


Which will create the badhosts table automatically without having to fuck around with /etc/pf.conf. Don’t know if this will work on FreeBSD though.

ipfw

It is part of the FreeBSD base installation so it does depend on ipfw being enabled in /etc/rc.conf but it looks like you can go

# ipfw add deny all from 132.232.46.230 to any

• Add rule denying any and all fraffic from 132.232.46.230 to any destination

At least these rules are succint and easy to read. Whomever wrote the documentation seemed to pay more attention to usage at least.

Still, fuck FreeBSD.

Windows

Super easy now that PowerShell is built into Windows itself:

PS C:\WINDOWS\system32> New-NetFirewallRule -DisplayName "Block traffic from 132.232.46.230" -Direction Inbound -LocalPort Any -Protocol Any - Action Block -RemoteAddress 132.232.46.230

• -DisplayName: The human-readable name of the firewall rule
• -Direction: Can be Outbound or Inbound. We want Inbound obviously.
• -LocalPort: Going with any ports because fuck crackers.
• -Protocol: Same, block all port
• -Action: Block traffic
• -RemoteAddress: Specifying only 132.232.46.230

The documentation for the commandlet is super nice. No, I’m not typing ‘cmdlet’.

The old way involved so, so manny clicks. PowerShell makes it easy.

Now all of the previous bits of code cease to have any effect after a system reboot so if you want the rules to be permanent… don’t. Blackhats will just scan from different hosts and different networks so blocking an IP address permanently is just unproductive.

A better solution is to use fail2ban:

There is also CrowdSec but I haven’t personally used them.

This post came to be cos I spent 30+ minutes trying to figure out how to block traffic on a FreeBSD host and their documentation is just… inscrutable. Should you ask for help in their forums you’ll just get told to RTFM.

You end up going in circles, consuming yourself in rage and frustration which does not feel nice. Rage-posting is where it’sat.

You did good!

After two years…. it was time to retire my trusty Thinkpad T60 that I turned into a WiFi AP for my LAN. Its name is blackslab and it’s been with me for about 8 years now. She’s earned a nice long break.

I had been running into a ton of issues lately:

• There are way too many wireless networks around me. A quick look at the network selector on Windows has 11 networks in there. This was interfering with my gaming.
• Debian is a fucking bitch to deal with these days. Systemd is polluting everything in it.
• Network instability is a thing. After every reboot I had to manually bring the WAN interface up. It’s a thing and I just didn’t want to deal with it anymore.

So now I’m setting up FreeBSD on a small form factor PC to take its place. It’s not the cheapest when it comes to energy use but it should do the trick. In the interim I’ve got a cheap ASUS router running things since Windows ICS is so fucking unreliable; tried setting up FreeBSD through it and it was a slog.

Hopefully I’ll be able to stop banging my head against PF sometime in the next 12 hours so I can actually set the thing up as the main LAN controller.

UNIX vs. FLOS

To me, the core of a UNIX system is a philosophical matter. To quote Mike Gancarz’s The UNIX Philosophy from 1994, UNIX has 9 paramount precepts:

1. Small is beautiful.
2. Make each program do one thing well.
3. Build a prototype as soon as possible.
4. Choose portability over efficiency.
5. Store data in flat text files.
7. Use shell scripts to increase leverage and portability.
8. Avoid captive user interfaces.
9. Make every program a filter.

FLOS is a nearly diametrically opposed design, with design concepts like the following:

• FLOS avoids scripts, and prefers to split tasks into compiled logic interacting with logic-less configuration files.
• FLOS prioritizes ease of machine manipulablity over human manipulablity.
• The components of FLOS communicate over D-Bus rather than sockets and pipes.
• FLOS is built on a core of monolithic programs which attempt to synergisticly manage multiple complex components.
• FLOS leverages features specific to Linux and ignores portability.
• FLOS prefers tightly integrated components to generic solutions.

I’m not sure that this is a bad design, but it is most definitely not UNIX or anything like it.

via Linux Reddit.

This here explains why a lot of stuff simply doesn’t work the way it used to: Xorg, NetworkManager, Pulseaudio. It also explains why no one outside of IT uses Linux for real-world software development; you don’t have to fight OS X to get started writing code. FreeBSD is almost there as well, with people switching over to it to avoid dealing with the eldritch abomination that is D-Bus.

Are FLOS proponents still butthurt by Microsoft? So much that they would turn the OS on top of Linux-the-kernel into a bad imitation of Windows?