Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 8 Nov 2005 19:56:38 +0100
From:      Daniel Gerzo <danger@rulez.sk>
To:        "Dave" <dmehler26@woh.rr.com>
Cc:        freebsd-questions@freebsd.org
Subject:   Re: bruteforce not restarting pf?
Message-ID:  <1947363373.20051108195638@rulez.sk>
In-Reply-To: <004c01c5e486$23d5c550$0900a8c0@satellite>
References:  <004c01c5e486$23d5c550$0900a8c0@satellite>
next in thread | previous in thread | raw e-mail | index | archive | help 
Hello Dave,

Tuesday, November 8, 2005, 6:02:02 PM, you wrote these comments:

> Hello,
>     I've got a machine running 5.4, offering ssh services and running
> bruteforce. In my daily security log emails i am seeing entries like:

<snip>

> I know these are automated atempts at entry but i thought bruteforce was
> suppose to stop these. In my auth.log i do see the IP being added, but
> connections are still allowed. Here's the snipet:

<snip>

> 163.13.111.172 port 56376 ssh2
> 163.13.111.172 was logged with total count of 3.
> Nov  7 07:07:03 zeus sshd[24753]: Failed password for root from 
> 163.13.111.172 port 56418 ssh2
> IP 163.13.111.172 reached the maximum number of failed attempts!!!
> Adding IP to the firewall...
> Nov  7 07:07:05 zeus sshd[24757]: Illegal user simon from 163.13.111.172
> Nov  7 07:07:05 zeus sshd[24757]: Failed password for illegal user simon
> from 163.13.111.172 port 56461 ssh2
> Nov  7 07:07:08 zeus sshd[24759]: Illegal user simon from 163.13.111.172
> Nov  7 07:07:08 zeus sshd[24759]: Failed password for illegal user simon
> from 163.13.111.172 port 56504 ssh2
> Nov  7 07:07:10 zeus sshd[24761]: Failed password for root from 
> 163.13.111.172 port 56543 ssh2

> Checking my bruteforce table ;i see 163.13.111.172/32 in it, so it was
> added, but i don't get why future connections were permitted unless pf was
> not restarted or informed about the updated table. In my pf.conf file i
> have:

what version of bruteforceblocker do you use?

> table <bruteforce> persist file "/etc/bruteforce"
> set block-policy drop
> block in log quick on $ext_if inet proto tcp from <bruteforce> to any port
> ssh

> Any help appreciated.
> Thanks.
> Dave.

Btw I'm about to release new version in a near future, the code is done,
but the port isn't yet :)

-- 
Best Regards,

 DanGer, ICQ: 261701668  | e-mail protecting at: http://www.2pu.net/
 http://danger.rulez.sk  | proxy list at:        http://www.proxy-web.com/
                         | FreeBSD - The Power to Serve!

[ This is starting to get interesting, don't you think? ]

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1947363373.20051108195638>