From owner-freebsd-questions@FreeBSD.ORG  Tue Nov  8 17:09:41 2005
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
X-Original-To: freebsd-questions@freebsd.org
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id D489216A41F
	for <freebsd-questions@freebsd.org>;
	Tue,  8 Nov 2005 17:09:41 +0000 (GMT)
	(envelope-from dmehler26@woh.rr.com)
Received: from ms-smtp-03-eri0.ohiordc.rr.com
	(ms-smtp-03-smtplb.ohiordc.rr.com [65.24.5.137])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 5D9EC43D4C
	for <freebsd-questions@freebsd.org>;
	Tue,  8 Nov 2005 17:09:40 +0000 (GMT)
	(envelope-from dmehler26@woh.rr.com)
Received: from satellite (cpe-65-31-43-91.woh.res.rr.com [65.31.43.91])
	by ms-smtp-03-eri0.ohiordc.rr.com (8.12.10/8.12.7) with SMTP id
	jA8H9bYF029028 for <freebsd-questions@freebsd.org>;
	Tue, 8 Nov 2005 12:09:38 -0500 (EST)
Message-ID: <004c01c5e486$23d5c550$0900a8c0@satellite>
From: "Dave" <dmehler26@woh.rr.com>
To: <freebsd-questions@freebsd.org>
Date: Tue, 8 Nov 2005 12:02:02 -0500
MIME-Version: 1.0
Content-Type: text/plain; format=flowed; charset="iso-8859-1";
	reply-type=original
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.2670
X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2900.2670
X-Virus-Scanned: Symantec AntiVirus Scan Engine
Subject: bruteforce not restarting pf?
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: Dave <dmehler26@woh.rr.com>
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 08 Nov 2005 17:09:42 -0000

Hello,
    I've got a machine running 5.4, offering ssh services and running 
bruteforce. In my daily security log emails i am seeing entries like:

Nov  7 07:06:55 zeus sshd[24747]: Failed password for illegal user miha from 
163.13.111.172 port 56265 ssh2
Nov  7 07:06:58 zeus sshd[24749]: Failed password for illegal user miha from 
163.13.111.172 port 56319 ssh2
Nov  7 07:07:01 zeus sshd[24751]: Failed password for root from 
163.13.111.172 port 56376 ssh2
Nov  7 07:07:03 zeus sshd[24753]: Failed password for root from 
163.13.111.172 port 56418 ssh2
Nov  7 07:07:05 zeus sshd[24757]: Failed password for illegal user simon 
from 163.13.111.172 port 56461 ssh2
Nov  7 07:07:08 zeus sshd[24759]: Failed password for illegal user simon 
from 163.13.111.172 port 56504 ssh2
Nov  7 07:07:10 zeus sshd[24761]: Failed password for root from 
163.13.111.172 port 56543 ssh2
Nov  7 07:07:12 zeus sshd[24763]: Failed password for root from 
163.13.111.172 port 56589
...

I know these are automated atempts at entry but i thought bruteforce was 
suppose to stop these. In my auth.log i do see the IP being added, but 
connections are still allowed. Here's the snipet:

Nov  7 06:54:52 zeus sshd[24687]: fatal: Timeout before authentication for 
163.13.111.172
Nov  7 07:06:55 zeus sshd[24747]: Illegal user miha from 163.13.111.172
Nov  7 07:06:55 zeus sshd[24747]: Failed password for illegal user miha from 
163.13.111.172 port 56265 ssh2
163.13.111.172 was logged with total count of 1.
Nov  7 07:06:58 zeus sshd[24749]: Illegal user miha from 163.13.111.172
Nov  7 07:06:58 zeus sshd[24749]: Failed password for illegal user miha from 
163.13.111.172 port 56319 ssh2
163.13.111.172 was logged with total count of 2.
Nov  7 07:07:01 zeus sshd[24751]: Failed password for root from 
163.13.111.172 port 56376 ssh2
163.13.111.172 was logged with total count of 3.
Nov  7 07:07:03 zeus sshd[24753]: Failed password for root from 
163.13.111.172 port 56418 ssh2
IP 163.13.111.172 reached the maximum number of failed attempts!!!
Adding IP to the firewall...
Nov  7 07:07:05 zeus sshd[24757]: Illegal user simon from 163.13.111.172
Nov  7 07:07:05 zeus sshd[24757]: Failed password for illegal user simon 
from 163.13.111.172 port 56461 ssh2
Nov  7 07:07:08 zeus sshd[24759]: Illegal user simon from 163.13.111.172
Nov  7 07:07:08 zeus sshd[24759]: Failed password for illegal user simon 
from 163.13.111.172 port 56504 ssh2
Nov  7 07:07:10 zeus sshd[24761]: Failed password for root from 
163.13.111.172 port 56543 ssh2

Checking my bruteforce table ;i see 163.13.111.172/32 in it, so it was 
added, but i don't get why future connections were permitted unless pf was 
not restarted or informed about the updated table. In my pf.conf file i 
have:

table <bruteforce> persist file "/etc/bruteforce"
set block-policy drop
block in log quick on $ext_if inet proto tcp from <bruteforce> to any port 
ssh

Any help appreciated.
Thanks.
Dave.