From owner-freebsd-questions@FreeBSD.ORG Fri Oct 7 11:11:17 2005 Return-Path: X-Original-To: questions@freebsd.org Delivered-To: freebsd-questions@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0899D16A41F for ; Fri, 7 Oct 2005 11:11:17 +0000 (GMT) (envelope-from danger@rulez.sk) Received: from mail.rulez.sk (DaEmoN.RuLeZ.sK [84.16.32.226]) by mx1.FreeBSD.org (Postfix) with ESMTP id 27C7443D48 for ; Fri, 7 Oct 2005 11:11:15 +0000 (GMT) (envelope-from danger@rulez.sk) Received: from localhost (localhost [127.0.0.1]) by mail.rulez.sk (Postfix) with ESMTP id 9ABE01CD9F; Fri, 7 Oct 2005 13:11:14 +0200 (CEST) Received: from danger.mcrn.sk (danger.mcrn.sk [84.16.37.254]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by mail.rulez.sk (Postfix) with ESMTP id D7CA11CDA7; Fri, 7 Oct 2005 13:11:07 +0200 (CEST) Date: Fri, 7 Oct 2005 13:08:33 +0200 From: Daniel Gerzo X-Mailer: The Bat! (v3.5) UNREG / CD5BF9353B3B7091 X-Priority: 3 (Normal) Message-ID: <1278385121.20051007130833@rulez.sk> To: Enrique Ayesta Perojo In-Reply-To: <200510071012.38464.eayesta@portugalete.uned.es> References: <867109688.20051006221846@rulez.sk> <200510071012.38464.eayesta@portugalete.uned.es> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit X-Virus-Scanned: by amavisd-new at mail.rulez.sk X-Spam-Status: No, score=-4.399 tagged_above=-999 required=5 tests=[ALL_TRUSTED=-1.8, BAYES_00=-2.599] X-Spam-Score: -4.399 X-Spam-Level: Cc: questions@freebsd.org Subject: Re[2]: bruteforceblocker + PF X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Daniel Gerzo List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 07 Oct 2005 11:11:17 -0000 Hello Enrique, Friday, October 7, 2005, 10:12:34 AM, you has on mind: > El Osteguna 06 Urria 2005 22:18, Daniel Gerzo escribió: >> Hi questions, Enrique Ayesta Perojo, >> >> >> >> It seems like bruteforceblocker is running, since you can see >> messages in your auth.log. this is good. could you please provide >> me info, which version of openssh are you using, so I can debug? I >> have som reports, that my bruteforceblocker does not work with >> older versions of openssh, since it uses little bit different >> format of warnings, so my regexps does not apply. Also, please send >> here the format of those messages. >> >> Thank you. > This is the version: > OpenSSH_3.8.1p1 FreeBSD-20040419, OpenSSL 0.9.7e 25 Oct 2004 > It's a FreeBSD 5.4-p7 box, and here there are some of the messages > at /var/log/auth.log: > Oct 6 18:29:26 fatboy sshd[28472]: Illegal user jack from 63.67.26.114 > Oct 6 18:29:26 fatboy sshd[28472]: reverse mapping checking getaddrinfo for > host114.nokia-boston.com failed - POSSIBLE BREAKIN ATTEMPT! > Oct 5 18:53:33 fatboy sshd[20731]: Illegal user pepito from 10.200.62.201 > Oct 5 18:53:33 fatboy sshd[20731]: Failed unknown for illegal user pepito > from 10.200.62.201 port 44241 ssh2 yeah, that's what I thought it will be ;-) OpenSSH <= 3.8 uses little bit different warning messages. You have two ways how to make your BruteForceBlocker to work with your instllation. 1) Update your OpenSSH to 4.2, you can find the port in the security/openssh-portable (you can use -DOPENSSH_OVERWRITE_BASE option) Note, that this one I prefer more. 2) Modify the source code of the BruteForceBlocker, so that my regexps will match your warnings, modify lines 58-60, for example change: Failed password.*from ((?:\d{1,3}\.){3}\d{1,3}) port to Failed unknown for illegal user.*from ((?:\d{1,3}\.){3}\d{1,3}) port or Invalid user.*from ((?:\d{1,3}\.){3}\d{1,3}) to Illegal user.*from ((?:\d{1,3}\.){3}\d{1,3}) > Thanks again No problem, you are welcome. Let me know if it works. -- Sincerely, Daniel Gerzo