From owner-freebsd-questions@FreeBSD.ORG Tue Nov 8 17:40:22 2005 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1687816A41F for ; Tue, 8 Nov 2005 17:40:22 +0000 (GMT) (envelope-from gerard@seibercom.net) Received: from smtp4.suscom.net (smtp4.suscom.net [64.78.119.247]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4EC8443D69 for ; Tue, 8 Nov 2005 17:40:18 +0000 (GMT) (envelope-from gerard@seibercom.net) Received: from localhost (unknown [127.0.0.1]) by smtp4.suscom.net (Postfix) with ESMTP id 386A4150052 for ; Tue, 8 Nov 2005 12:40:17 -0500 (EST) Received: from smtp4.suscom.net ([127.0.0.1]) by localhost (smtp4.suscom.net [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 13748-01-73 for ; Tue, 8 Nov 2005 12:40:12 -0500 (EST) Received: from seibercom.net (ip148.217.susc.suscom.net [216.45.217.148]) by smtp4.suscom.net (Postfix) with SMTP id 5A5F315005D for ; Tue, 8 Nov 2005 12:40:12 -0500 (EST) Received: from [192.168.0.2] (//gerard [192.168.0.2]) by seibercom.net (8.13.4/8.13.4) with ESMTP id jA8HeC4R032809 for ; Tue, 8 Nov 2005 12:40:12 -0500 (EST) (envelope-from gerard@seibercom.net) Date: Tue, 08 Nov 2005 12:40:14 -0500 From: Gerard Seibert To: freebsd-questions@freebsd.org Sender: gerard@seibercom.net Organization: Seibercom.net In-Reply-To: <004c01c5e486$23d5c550$0900a8c0@satellite> References: <004c01c5e486$23d5c550$0900a8c0@satellite> X-Face: "\j?x](l|]4p?-1Bf@!wN<&p=$.}^k-HgL}cJKbQZ3r#Ar]\%U(#6}'?<3s7%(%(gxJxxcR nSNPNr*/^~StawWU9KDJ-CT0k$f#@t2^K&BS_f|?ZV/.7Q Message-Id: <20051108123712.3597.GERARD@seibercom.net> MIME-Version: 1.0 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 8bit X-Mailer: Becky! ver. 2.22.02 [en] X-Virus-Scanned: amavisd-new at suscom.net Subject: Re: bruteforce not restarting pf? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: freebsd-questions@freebsd.org List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Nov 2005 17:40:22 -0000 On Tuesday, November 08, 2005 12:02:02 PM, "Dave" Subject: bruteforce not restarting pf? Wrote these words of wisdom: > Hello, > I've got a machine running 5.4, offering ssh services and running > bruteforce. In my daily security log emails i am seeing entries like: > > Nov 7 07:06:55 zeus sshd[24747]: Failed password for illegal user miha from > 163.13.111.172 port 56265 ssh2 > Nov 7 07:06:58 zeus sshd[24749]: Failed password for illegal user miha from > 163.13.111.172 port 56319 ssh2 > Nov 7 07:07:01 zeus sshd[24751]: Failed password for root from > 163.13.111.172 port 56376 ssh2 > Nov 7 07:07:03 zeus sshd[24753]: Failed password for root from > 163.13.111.172 port 56418 ssh2 > Nov 7 07:07:05 zeus sshd[24757]: Failed password for illegal user simon > from 163.13.111.172 port 56461 ssh2 > Nov 7 07:07:08 zeus sshd[24759]: Failed password for illegal user simon > from 163.13.111.172 port 56504 ssh2 > Nov 7 07:07:10 zeus sshd[24761]: Failed password for root from > 163.13.111.172 port 56543 ssh2 > Nov 7 07:07:12 zeus sshd[24763]: Failed password for root from > 163.13.111.172 port 56589 > ... > > I know these are automated atempts at entry but i thought bruteforce was > suppose to stop these. In my auth.log i do see the IP being added, but > connections are still allowed. Here's the snipet: > > Nov 7 06:54:52 zeus sshd[24687]: fatal: Timeout before authentication for > 163.13.111.172 > Nov 7 07:06:55 zeus sshd[24747]: Illegal user miha from 163.13.111.172 > Nov 7 07:06:55 zeus sshd[24747]: Failed password for illegal user miha from > 163.13.111.172 port 56265 ssh2 > 163.13.111.172 was logged with total count of 1. > Nov 7 07:06:58 zeus sshd[24749]: Illegal user miha from 163.13.111.172 > Nov 7 07:06:58 zeus sshd[24749]: Failed password for illegal user miha from > 163.13.111.172 port 56319 ssh2 > 163.13.111.172 was logged with total count of 2. > Nov 7 07:07:01 zeus sshd[24751]: Failed password for root from > 163.13.111.172 port 56376 ssh2 > 163.13.111.172 was logged with total count of 3. > Nov 7 07:07:03 zeus sshd[24753]: Failed password for root from > 163.13.111.172 port 56418 ssh2 > IP 163.13.111.172 reached the maximum number of failed attempts!!! > Adding IP to the firewall... > Nov 7 07:07:05 zeus sshd[24757]: Illegal user simon from 163.13.111.172 > Nov 7 07:07:05 zeus sshd[24757]: Failed password for illegal user simon > from 163.13.111.172 port 56461 ssh2 > Nov 7 07:07:08 zeus sshd[24759]: Illegal user simon from 163.13.111.172 > Nov 7 07:07:08 zeus sshd[24759]: Failed password for illegal user simon > from 163.13.111.172 port 56504 ssh2 > Nov 7 07:07:10 zeus sshd[24761]: Failed password for root from > 163.13.111.172 port 56543 ssh2 > > Checking my bruteforce table ;i see 163.13.111.172/32 in it, so it was > added, but i don't get why future connections were permitted unless pf was > not restarted or informed about the updated table. In my pf.conf file i > have: > > table persist file "/etc/bruteforce" > set block-policy drop > block in log quick on $ext_if inet proto tcp from to any port > ssh > > Any help appreciated. > Thanks. > Dave. > ***** REPLY SEPARATOR ***** On 10/11/2005 5:29:42 PM, Gerard Replied: You might want to check out this URL: http://danger.rulez.sk/projects/bruteforceblocker/ Perhaps you might be able to glom something of value there. -- Gerard Seibert gerard@seibercom.net A: Because it reverses the natural flow of a dialog. Q: Why is top posting undesirable when replying? TOPIC: Posting Etiquette