From owner-freebsd-questions@FreeBSD.ORG Wed Oct 5 10:03:53 2005 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E2BA316A41F for ; Wed, 5 Oct 2005 10:03:53 +0000 (GMT) (envelope-from eayesta@portugalete.uned.es) Received: from hermes-uno.uned.es (hermes-uno.uned.es [62.204.192.102]) by mx1.FreeBSD.org (Postfix) with ESMTP id 74F8043D45 for ; Wed, 5 Oct 2005 10:03:53 +0000 (GMT) (envelope-from eayesta@portugalete.uned.es) Received: from hermes-uno.uned.es (localhost.localdomain [127.0.0.1]) by localhost.uned.es (Postfix) with ESMTP id 51F7A30D34E for ; Wed, 5 Oct 2005 12:03:51 +0200 (CEST) Received: from stargate-1.unedbizkaia.es (ca6200-010-200-062-201.uned.es [10.200.62.201]) by hermes-uno.uned.es (Postfix) with ESMTP id B20ED30D2D2 for ; Wed, 5 Oct 2005 12:03:50 +0200 (CEST) From: Enrique Ayesta Perojo To: freebsd-questions@freebsd.org Date: Wed, 5 Oct 2005 12:04:54 +0200 User-Agent: KMail/1.8 X-Face: 1Ap'j*2\*m:5K9|Z3(3hw}>e7y}bKl>WsTt:A%1stWDEm9`D?s("Bk-4(uS((PR|BJ|^+)=?utf-8?q?=0A=099rL=26=251*N1v57h=5E+/7=2E=5E?=<|jyu`lrfTXqiA5.*wrD0kx@J\Qbd[Ik3GF+av(g. MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-15" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200510051204.54331.eayesta@portugalete.uned.es> Subject: bruteforceblocker + PF X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 05 Oct 2005 10:03:54 -0000 Hello, i'm trying to install the bruteforceblocker script to stop ssh attacks, but i'm having a problem with PF because it seems not to block the attacker ip. The machine is connected to internet and has some needed services for the LAN, so i want to log and block only outside attacks. The bruteforceblocker script seems to be working, because i can read the initial time of it at /var/log/auth.log, so i think the problem may be at my pf configuration. Any help? Thanks a lot ####/etc/pf.conf#### table persist file "/var/log/bruteforce" # options set block-policy return set loginterface $ext_if # scrub scrub in all # filter rules block all pass quick on lo0 all pass in on bge0 from 10.200.62.0/24 to 10.200.62.17 pass out on bge0 from 10.200.62.17 to 10.200.62.0/24 block in log quick inet proto tcp from to any port ssh ####This is my conf of bruteforceblocker#### my $logfile = '/var/log/auth.log'; # file where this script will log to my $pfctl = '/sbin/pfctl'; # pfctl binary my $table = 'bruteforce'; # pf table my $tablefile = '/var/log/bruteforce'; # file where table persist my $max_attempts = 3; # number of max allowed fails my $timeout = 3600; # number of seconds after resetting of ip my %count = (); # number of failed tries my %time = (); # last modified time