From owner-freebsd-questions@FreeBSD.ORG Tue Nov 8 18:57:07 2005 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5924E16A41F for ; Tue, 8 Nov 2005 18:57:07 +0000 (GMT) (envelope-from danger@rulez.sk) Received: from mail.rulez.sk (DaEmoN.RuLeZ.sK [84.16.32.226]) by mx1.FreeBSD.org (Postfix) with ESMTP id DBD0443D49 for ; Tue, 8 Nov 2005 18:57:06 +0000 (GMT) (envelope-from danger@rulez.sk) Received: from localhost (localhost [127.0.0.1]) by mail.rulez.sk (Postfix) with ESMTP id 0DDEA1CC6D; Tue, 8 Nov 2005 19:57:05 +0100 (CET) Received: from danger.mcrn.sk (danger.mcrn.sk [84.16.37.254]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by mail.rulez.sk (Postfix) with ESMTP id 683AA1CC8C; Tue, 8 Nov 2005 19:57:01 +0100 (CET) Date: Tue, 8 Nov 2005 19:56:38 +0100 From: Daniel Gerzo X-Mailer: The Bat! (v3.5) UNREG / CD5BF9353B3B7091 X-Priority: 3 (Normal) Message-ID: <1947363373.20051108195638@rulez.sk> To: "Dave" In-Reply-To: <004c01c5e486$23d5c550$0900a8c0@satellite> References: <004c01c5e486$23d5c550$0900a8c0@satellite> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Virus-Scanned: by amavisd-new at mail.rulez.sk X-Spam-Status: No, score=-3.877 tagged_above=-999 required=5 tests=[ALL_TRUSTED=-1.8, AWL=0.522, BAYES_00=-2.599] X-Spam-Score: -3.877 X-Spam-Level: Cc: freebsd-questions@freebsd.org Subject: Re: bruteforce not restarting pf? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Daniel Gerzo List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Nov 2005 18:57:07 -0000 Hello Dave, Tuesday, November 8, 2005, 6:02:02 PM, you wrote these comments: > Hello, > I've got a machine running 5.4, offering ssh services and running > bruteforce. In my daily security log emails i am seeing entries like: > I know these are automated atempts at entry but i thought bruteforce was > suppose to stop these. In my auth.log i do see the IP being added, but > connections are still allowed. Here's the snipet: > 163.13.111.172 port 56376 ssh2 > 163.13.111.172 was logged with total count of 3. > Nov 7 07:07:03 zeus sshd[24753]: Failed password for root from > 163.13.111.172 port 56418 ssh2 > IP 163.13.111.172 reached the maximum number of failed attempts!!! > Adding IP to the firewall... > Nov 7 07:07:05 zeus sshd[24757]: Illegal user simon from 163.13.111.172 > Nov 7 07:07:05 zeus sshd[24757]: Failed password for illegal user simon > from 163.13.111.172 port 56461 ssh2 > Nov 7 07:07:08 zeus sshd[24759]: Illegal user simon from 163.13.111.172 > Nov 7 07:07:08 zeus sshd[24759]: Failed password for illegal user simon > from 163.13.111.172 port 56504 ssh2 > Nov 7 07:07:10 zeus sshd[24761]: Failed password for root from > 163.13.111.172 port 56543 ssh2 > Checking my bruteforce table ;i see 163.13.111.172/32 in it, so it was > added, but i don't get why future connections were permitted unless pf was > not restarted or informed about the updated table. In my pf.conf file i > have: what version of bruteforceblocker do you use? > table persist file "/etc/bruteforce" > set block-policy drop > block in log quick on $ext_if inet proto tcp from to any port > ssh > Any help appreciated. > Thanks. > Dave. Btw I'm about to release new version in a near future, the code is done, but the port isn't yet :) -- Best Regards, DanGer, ICQ: 261701668 | e-mail protecting at: http://www.2pu.net/ http://danger.rulez.sk | proxy list at: http://www.proxy-web.com/ | FreeBSD - The Power to Serve! [ This is starting to get interesting, don't you think? ]