Brute force demonstration and simulation

Murus
Post Reply
den555
Posts: 8
Joined: Wed Jun 10, 2015 6:39 am

Brute force demonstration and simulation

Post by den555 » Thu Mar 17, 2016 10:47 pm

Hello,

My brute force table is empty and this made me nervous :) because i don"t think that it could be real in modern world.
Could You please tell me what instruments and application could I use to be test MurusPro configuration and it's ability to stop brute force attack.

If your have time It would be great to publish youtube video for brute force demonstration and simulation.

Best regards.

hany
Posts: 483
Joined: Wed Dec 10, 2014 5:20 pm

Re: Brute force demonstration and simulation

Post by hany » Fri Mar 18, 2016 12:08 am

My brute force table is empty and this made me nervous
lol :)
because i don"t think that it could be real in modern world.
it isn't
Could You please tell me what instruments and application could I use to be test MurusPro configuration and it's ability to stop brute force attack
Sure!
You need 3 things:
1) your Mac running Murus
2) a second real or virtual computer
3) an ssh client running on this second computer

- on your Mac, starting from Murus default configuration, simply drag SSH service from the library to inbound services
- click the SSH's magnifier icon to open SSH rules popover view, click the big gear button to reveal options then check the brute force thing, use default values
- click play in the toolbar to start pf
- from a remote computer (or a vm) try to connect to your Mac's SSH. Try to connect providing the wrong password for a couple of times. Usually ssh clients make 3 password attempt per connection. Please consider that if you set "max connections" to 3 then you need to make 10 "wrong" ssh connections in order to trigger the brute force block. If you set "max connections" to 2 then you require 7 ssh connections, and so on.
- once triggered, Murus will add the remote ip to <bruteforce> pf table in /murus.inbound anchor, you can see it using Murus pf rules browser or Murus Proactivity -> Brute Force panel.

If you expect to see remote brute force attempts from the Internet then you have to verify that your Mac's port 22 is public, check your router configuration.
If you run a more complex Murus configuration then verify that SSH service is managed at the end of the list, or at least verify that none of the managed services overrides port 22. Using Murus 1.4 you will immediately see if a service is overridden or overrides other services, have a look at it :)

den555
Posts: 8
Joined: Wed Jun 10, 2015 6:39 am

Re: Brute force demonstration and simulation

Post by den555 » Sun Mar 27, 2016 2:38 am

Thank You, Hany
(sorry for to be a bit late with this)

Your receipt works fine.

I have a question for the slider "max connections"
Does it count all connections for defined amount of time I mean established and blocked?
As I understand right, Murus can't count quantity of unsuccessful attempts to login (because this is application level)

I need an advice for resolving the situation.
I connect to the server from my home where several devices are checking mail on the server. The devices can establish 10-20 connections in 5 minutes. If I set max connection = 10 Murus blockes my IP(for the period of time I set in Murus settings) and I can't reach the server. I want to mention that all those connection are successful.

By the way port knocking(if set) blocked my IP in this situation time to time. I think my devices are drumming on server's different ports and Murus interprets this like inappropriate knocking sequence. One thing to add - it would be better to develop port knocking client for Mac who could save port sequence.

As I noticed Murus clears bruteforce table (as port knocking table) after pushing Play button. Is there an workaround for it. I want to guard blocked IP who is really suspicious for set period of time and have a possibility to establish new rules to Murus and restart it.

Thanks.

den555
Posts: 8
Joined: Wed Jun 10, 2015 6:39 am

Re: Brute force demonstration and simulation

Post by den555 » Fri Apr 08, 2016 4:17 pm

Hi, Hany

Thank You for your reply in the other posts - it makes more clear of using Murus.
Also, I've found a button in the proactivity that adds IPs to the black list in case I want to restart Murus and keep suspicious IPs blocked.

But could You reply for my question connected to Max Connection slider under brute force flag setting?
Is it mesuring all connection from given IP: well authentificated and failed?

Thank you, Denis.

hany
Posts: 483
Joined: Wed Dec 10, 2014 5:20 pm

Re: Brute force demonstration and simulation

Post by hany » Thu May 26, 2016 3:04 pm

@den555
But could You reply for my question connected to Max Connection slider under brute force flag setting?
Is it mesuring all connection from given IP: well authentificated and failed?
yes, the slider indicated the maximum number of connections.

@theoretician
murus seems to block after a certain number of connections in a certain time independent of whether the authentication was successful or not!!
sure it does, that's how brute force protection is intended to be (at layer 3, the network layer).
A connection is described by source and destination addresses and ports, protocols, and some other parameters. You can't be aware of what an app/daemon actually uses this connection for.
To check for failed/successful authentication you need something that runs at layer7 (the application layer)
This would seem to be a limitation of the software
Being a PF front end, the purpose of Murus is only to set network rules at network level.
Also, combining this with port knocking, I find that the brute force blocked ip's are going in the port knocking black-list not the brute force one. This must be a bug.
This is interesting, I will immediately try to replicate the bug and fix it :) thanks !

Post Reply