Site Navigation

Date:      Tue, 08 Nov 2005 12:40:14 -0500
From:      Gerard Seibert <gerard@seibercom.net>
To:        freebsd-questions@freebsd.org
Subject:   Re: bruteforce not restarting pf?
Message-ID:  <20051108123712.3597.GERARD@seibercom.net>
In-Reply-To: <004c01c5e486$23d5c550$0900a8c0@satellite>
References:  <004c01c5e486$23d5c550$0900a8c0@satellite>

---

next in thread | previous in thread | raw e-mail | index | archive | help

---

On Tuesday, November 08, 2005 12:02:02 PM, "Dave" <dmehler26@woh.rr.com>
Subject: bruteforce not restarting pf?
Wrote these words of wisdom:

> Hello,
>     I've got a machine running 5.4, offering ssh services and running 
> bruteforce. In my daily security log emails i am seeing entries like:
> 
> Nov  7 07:06:55 zeus sshd[24747]: Failed password for illegal user miha from 
> 163.13.111.172 port 56265 ssh2
> Nov  7 07:06:58 zeus sshd[24749]: Failed password for illegal user miha from 
> 163.13.111.172 port 56319 ssh2
> Nov  7 07:07:01 zeus sshd[24751]: Failed password for root from 
> 163.13.111.172 port 56376 ssh2
> Nov  7 07:07:03 zeus sshd[24753]: Failed password for root from 
> 163.13.111.172 port 56418 ssh2
> Nov  7 07:07:05 zeus sshd[24757]: Failed password for illegal user simon 
> from 163.13.111.172 port 56461 ssh2
> Nov  7 07:07:08 zeus sshd[24759]: Failed password for illegal user simon 
> from 163.13.111.172 port 56504 ssh2
> Nov  7 07:07:10 zeus sshd[24761]: Failed password for root from 
> 163.13.111.172 port 56543 ssh2
> Nov  7 07:07:12 zeus sshd[24763]: Failed password for root from 
> 163.13.111.172 port 56589
> ...
> 
> I know these are automated atempts at entry but i thought bruteforce was 
> suppose to stop these. In my auth.log i do see the IP being added, but 
> connections are still allowed. Here's the snipet:
> 
> Nov  7 06:54:52 zeus sshd[24687]: fatal: Timeout before authentication for 
> 163.13.111.172
> Nov  7 07:06:55 zeus sshd[24747]: Illegal user miha from 163.13.111.172
> Nov  7 07:06:55 zeus sshd[24747]: Failed password for illegal user miha from 
> 163.13.111.172 port 56265 ssh2
> 163.13.111.172 was logged with total count of 1.
> Nov  7 07:06:58 zeus sshd[24749]: Illegal user miha from 163.13.111.172
> Nov  7 07:06:58 zeus sshd[24749]: Failed password for illegal user miha from 
> 163.13.111.172 port 56319 ssh2
> 163.13.111.172 was logged with total count of 2.
> Nov  7 07:07:01 zeus sshd[24751]: Failed password for root from 
> 163.13.111.172 port 56376 ssh2
> 163.13.111.172 was logged with total count of 3.
> Nov  7 07:07:03 zeus sshd[24753]: Failed password for root from 
> 163.13.111.172 port 56418 ssh2
> IP 163.13.111.172 reached the maximum number of failed attempts!!!
> Adding IP to the firewall...
> Nov  7 07:07:05 zeus sshd[24757]: Illegal user simon from 163.13.111.172
> Nov  7 07:07:05 zeus sshd[24757]: Failed password for illegal user simon 
> from 163.13.111.172 port 56461 ssh2
> Nov  7 07:07:08 zeus sshd[24759]: Illegal user simon from 163.13.111.172
> Nov  7 07:07:08 zeus sshd[24759]: Failed password for illegal user simon 
> from 163.13.111.172 port 56504 ssh2
> Nov  7 07:07:10 zeus sshd[24761]: Failed password for root from 
> 163.13.111.172 port 56543 ssh2
> 
> Checking my bruteforce table ;i see 163.13.111.172/32 in it, so it was 
> added, but i don't get why future connections were permitted unless pf was 
> not restarted or informed about the updated table. In my pf.conf file i 
> have:
> 
> table <bruteforce> persist file "/etc/bruteforce"
> set block-policy drop
> block in log quick on $ext_if inet proto tcp from <bruteforce> to any port 
> ssh
> 
> Any help appreciated.
> Thanks.
> Dave.
> 

***** REPLY SEPARATOR *****
On 10/11/2005 5:29:42 PM, Gerard Replied:

You might want to check out this URL:

http://danger.rulez.sk/projects/bruteforceblocker/

Perhaps you might be able to glom something of value there.

-- 
Gerard Seibert
gerard@seibercom.net


	A: Because it reverses the natural flow of a dialog.
	Q: Why is top posting undesirable when replying?

	TOPIC: Posting Etiquette

---

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20051108123712.3597.GERARD>

Legal Notices | © 1995-2024 The FreeBSD Project. All rights reserved.

Contact