From owner-freebsd-questions@FreeBSD.ORG  Wed Nov 15 08:35:11 2006
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
X-Original-To: freebsd-questions@freebsd.org
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 580EC16A40F
	for <freebsd-questions@freebsd.org>;
	Wed, 15 Nov 2006 08:35:11 +0000 (UTC) (envelope-from ewhac@best.com)
Received: from ewhac.best.vwh.net (ewhac.best.vwh.net [192.220.66.121])
	by mx1.FreeBSD.org (Postfix) with ESMTP id D7C8643D5E
	for <freebsd-questions@freebsd.org>;
	Wed, 15 Nov 2006 08:35:10 +0000 (GMT) (envelope-from ewhac@best.com)
Received: (qmail 26421 invoked by uid 17017); 15 Nov 2006 08:35:10 -0000
Received: from unknown (HELO walkies.ewhac.org) ([127.0.0.1])
	(envelope-sender <ewhac@best.com>)
	by 127.0.0.1 (qmail-ldap-1.03) with SMTP
	for <freebsd-questions@freebsd.org>; 15 Nov 2006 08:35:10 -0000
Received: from ewhac by walkies.ewhac.org with local (Exim 3.36 #1 (Debian))
	id 1GkGEe-0005RR-00
	for <freebsd-questions@freebsd.org>; Wed, 15 Nov 2006 00:35:08 -0800
Date: Wed, 15 Nov 2006 00:35:08 -0800
To: freebsd-questions@freebsd.org
Message-ID: <20061115083508.GA20738@best.com>
References: <20061113060528.GA7646@best.com> <455836A2.6010004@gmx.net>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <455836A2.6010004@gmx.net>
User-Agent: Mutt/1.5.13 (2006-08-11)
From: "Leo L. Schwab" <ewhac@best.com>
Subject: Re: Blocking SSH Brute-Force Attacks: What Am I Doing Wrong?
	(Solved!)
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Nov 2006 08:35:11 -0000

	After instrumenting 'bruteblock' (and accidentally causing auth.log
to explode), I discovered that the ssh.conf file that ships with it won't
work on FreeBSD 6.1 (or at least my copy of it).

	The shipped regexp looks for "illegal" users.  But 'sshd' on FreeBSD
6.1 records login attempts of "invalid" users.

	The patch appended below got it to work on my system.

	My thanks to everyone who chimed in with suggestions.  They were
greatly appreciated.

					Schwab

--- ssh.conf.dist	Mon Oct 30 21:17:34 2006
+++ ssh.conf	Wed Nov 15 00:20:29 2006
@@ -6,16 +6,16 @@
 # this regexp for the OpenSSH server matches lines like:
 #
 # comment: auth via key only
-#sshd[72593]: Illegal user hacker from 1.2.3.4
+#sshd[72593]: Invalid user hacker from 1.2.3.4
 #
 # comment: pwd auth, but no such user
-#sshd[72593]: Failed password for illegal user sammmm from 1.2.3.4
+#sshd[72593]: Failed password for invalid user sammmm from 1.2.3.4
 #
 # comment: correct user, but wrong password
 #sshd[72626]: Failed password for samm from 1.2.3.4
 #
-regexp		= sshd.*Illegal user \S+ from (\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})
-regexp1 	= sshd.*Failed password for (?:illegal user )?\S+ from (\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})
+regexp		= sshd.*Invalid user \S+ from (\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})
+regexp1 	= sshd.*Failed password for (?:invalid user )?\S+ from (\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})
 
 # Number of failed login attempts within time before we block
 max_count       = 4