From owner-freebsd-questions@FreeBSD.ORG Wed Oct 5 19:53:04 2005 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D10F016A41F for ; Wed, 5 Oct 2005 19:53:04 +0000 (GMT) (envelope-from noeldude@gmail.com) Received: from wproxy.gmail.com (wproxy.gmail.com [64.233.184.202]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6132F43D45 for ; Wed, 5 Oct 2005 19:53:04 +0000 (GMT) (envelope-from noeldude@gmail.com) Received: by wproxy.gmail.com with SMTP id 71so101579wra for ; Wed, 05 Oct 2005 12:53:03 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=FI2DSvcZMfHocIPVDOTZniW56apCrh9poGkuXk4XVhF/dQXYaInP6kytoq5TpivEK5lhb+8C0WzzmG7E+VDyXioaswPpnsVVnWBOTs+oFE1euPRf3w45o5nkQ3b14Xmv7v3Vy+HeTZbCdRa+ES/LGkKoy6eWvHEcIaBPeSXjtdY= Received: by 10.54.116.4 with SMTP id o4mr19869wrc; Wed, 05 Oct 2005 12:50:47 -0700 (PDT) Received: by 10.54.83.4 with HTTP; Wed, 5 Oct 2005 12:52:43 -0700 (PDT) Message-ID: Date: Wed, 5 Oct 2005 14:53:03 -0500 From: Noel Jones To: freebsd-questions@freebsd.org In-Reply-To: <200510051204.54331.eayesta@portugalete.uned.es> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: <200510051204.54331.eayesta@portugalete.uned.es> Subject: Re: bruteforceblocker + PF X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Noel Jones List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 05 Oct 2005 19:53:04 -0000 On 10/5/05, Enrique Ayesta Perojo wrote: > Hello, i'm trying to install the bruteforceblocker script to stop ssh att= acks, > but i'm having a problem with PF because it seems not to block the attack= er > ip. > > The machine is connected to internet and has some needed services for the= LAN, > so i want to log and block only outside attacks. > > The bruteforceblocker script seems to be working, because i can read the > initial time of it at /var/log/auth.log, so i think the problem may be at= my > pf configuration. > > Any help? > > Thanks a lot > > ####/etc/pf.conf#### > table persist file "/var/log/bruteforce" > > # options > set block-policy return > set loginterface $ext_if > > # scrub > scrub in all > > # filter rules > block all > > pass quick on lo0 all > > pass in on bge0 from 10.200.62.0/24 to 10.200.62.17 > pass out on bge0 from 10.200.62.17 to 10.200.62.0/24 > > block in log quick inet proto tcp from to any port ssh I'm going to assume this is just a small part of your pf.conf, because the part you show doesn't allow any internet access. Maybe you should show us your entire pf.conf. Do your rules display as expected? # pfctl -s rules Did you reload pf after you edited pf.conf? # pfctl -f /etc/pf.conf Are you testing this from outside the 10.200.x.x network? In your auth.log do you see bruteforceblocker messages such as: 220.92.126.217 was logged with total count of 1. when an ssh login fails? And then after $max_attempts is exceeded you should see: IP 202.92.126.217 reached the maximum number of failed attempts!!! Adding IP to the firewall... -- Noel Jones