Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 8 Nov 2005 12:02:02 -0500
From:      "Dave" <dmehler26@woh.rr.com>
To:        <freebsd-questions@freebsd.org>
Subject:   bruteforce not restarting pf?
Message-ID:  <004c01c5e486$23d5c550$0900a8c0@satellite>
next in thread | raw e-mail | index | archive | help 
Hello,
    I've got a machine running 5.4, offering ssh services and running 
bruteforce. In my daily security log emails i am seeing entries like:

Nov  7 07:06:55 zeus sshd[24747]: Failed password for illegal user miha from 
163.13.111.172 port 56265 ssh2
Nov  7 07:06:58 zeus sshd[24749]: Failed password for illegal user miha from 
163.13.111.172 port 56319 ssh2
Nov  7 07:07:01 zeus sshd[24751]: Failed password for root from 
163.13.111.172 port 56376 ssh2
Nov  7 07:07:03 zeus sshd[24753]: Failed password for root from 
163.13.111.172 port 56418 ssh2
Nov  7 07:07:05 zeus sshd[24757]: Failed password for illegal user simon 
from 163.13.111.172 port 56461 ssh2
Nov  7 07:07:08 zeus sshd[24759]: Failed password for illegal user simon 
from 163.13.111.172 port 56504 ssh2
Nov  7 07:07:10 zeus sshd[24761]: Failed password for root from 
163.13.111.172 port 56543 ssh2
Nov  7 07:07:12 zeus sshd[24763]: Failed password for root from 
163.13.111.172 port 56589
...

I know these are automated atempts at entry but i thought bruteforce was 
suppose to stop these. In my auth.log i do see the IP being added, but 
connections are still allowed. Here's the snipet:

Nov  7 06:54:52 zeus sshd[24687]: fatal: Timeout before authentication for 
163.13.111.172
Nov  7 07:06:55 zeus sshd[24747]: Illegal user miha from 163.13.111.172
Nov  7 07:06:55 zeus sshd[24747]: Failed password for illegal user miha from 
163.13.111.172 port 56265 ssh2
163.13.111.172 was logged with total count of 1.
Nov  7 07:06:58 zeus sshd[24749]: Illegal user miha from 163.13.111.172
Nov  7 07:06:58 zeus sshd[24749]: Failed password for illegal user miha from 
163.13.111.172 port 56319 ssh2
163.13.111.172 was logged with total count of 2.
Nov  7 07:07:01 zeus sshd[24751]: Failed password for root from 
163.13.111.172 port 56376 ssh2
163.13.111.172 was logged with total count of 3.
Nov  7 07:07:03 zeus sshd[24753]: Failed password for root from 
163.13.111.172 port 56418 ssh2
IP 163.13.111.172 reached the maximum number of failed attempts!!!
Adding IP to the firewall...
Nov  7 07:07:05 zeus sshd[24757]: Illegal user simon from 163.13.111.172
Nov  7 07:07:05 zeus sshd[24757]: Failed password for illegal user simon 
from 163.13.111.172 port 56461 ssh2
Nov  7 07:07:08 zeus sshd[24759]: Illegal user simon from 163.13.111.172
Nov  7 07:07:08 zeus sshd[24759]: Failed password for illegal user simon 
from 163.13.111.172 port 56504 ssh2
Nov  7 07:07:10 zeus sshd[24761]: Failed password for root from 
163.13.111.172 port 56543 ssh2

Checking my bruteforce table ;i see 163.13.111.172/32 in it, so it was 
added, but i don't get why future connections were permitted unless pf was 
not restarted or informed about the updated table. In my pf.conf file i 
have:

table <bruteforce> persist file "/etc/bruteforce"
set block-policy drop
block in log quick on $ext_if inet proto tcp from <bruteforce> to any port 
ssh

Any help appreciated.
Thanks.
Dave.

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?004c01c5e486$23d5c550$0900a8c0>