From owner-freebsd-questions@FreeBSD.ORG Thu Oct 6 07:07:57 2005 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5FA4816A41F for ; Thu, 6 Oct 2005 07:07:57 +0000 (GMT) (envelope-from eayesta@portugalete.uned.es) Received: from hermes-uno.uned.es (hermes-uno.uned.es [62.204.192.102]) by mx1.FreeBSD.org (Postfix) with ESMTP id B72A143D45 for ; Thu, 6 Oct 2005 07:07:56 +0000 (GMT) (envelope-from eayesta@portugalete.uned.es) Received: from hermes-uno.uned.es (localhost.localdomain [127.0.0.1]) by localhost.uned.es (Postfix) with ESMTP id C59DB30D0C0; Thu, 6 Oct 2005 09:07:54 +0200 (CEST) Received: from stargate-1.unedbizkaia.es (ca6200-010-200-062-201.uned.es [10.200.62.201]) by hermes-uno.uned.es (Postfix) with ESMTP id 87E1230D091; Thu, 6 Oct 2005 09:07:54 +0200 (CEST) From: Enrique Ayesta Perojo To: Noel Jones , freebsd-questions@freebsd.org Date: Thu, 6 Oct 2005 09:07:57 +0200 User-Agent: KMail/1.8 References: <200510051204.54331.eayesta@portugalete.uned.es> In-Reply-To: X-Face: 1Ap'j*2\*m:5K9|Z3(3hw}>e7y}bKl>WsTt:A%1stWDEm9`D?s("Bk-4(uS((PR|BJ|^+)=?utf-8?q?=0A=099rL=26=251*N1v57h=5E+/7=2E=5E?=<|jyu`lrfTXqiA5.*wrD0kx@J\Qbd[Ik3GF+av(g. MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Message-Id: <200510060907.57922.eayesta@portugalete.uned.es> Cc: Subject: Re: bruteforceblocker + PF X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 06 Oct 2005 07:07:57 -0000 El Mi=E9rcoles, 5 de Octubre de 2005 21:53, Noel Jones escribi=F3: > I'm going to assume this is just a small part of your pf.conf, because > the part you show doesn't allow any internet access. Maybe you should > show us your entire pf.conf. Yes, it was a small part of my pf.conf. Anyway i'm trying on another machin= e=20 with a much smaller configuration with the same results. I think it should = be=20 enough for bruteforceblocker to work ***/etc/pf.conf*** table persist file "/var/log/bruteforce" =20 # options set block-policy return set loginterface bge0 # scrub scrub in all # filter rules pass all block in log quick inet proto tcp from to any port ssh > Do your rules display as expected? > # pfctl -s rules Yes, they display as expected No ALTQ support in kernel ALTQ related functions disabled scrub in all fragment reassemble pass all block return in log quick inet proto tcp from to any port =3D = ssh > Did you reload pf after you edited pf.conf? > # pfctl -f /etc/pf.conf Yes, i did > Are you testing this from outside the 10.200.x.x network? Yes > In your auth.log do you see bruteforceblocker messages such as: > > 220.92.126.217 was logged with total count of 1. > > when an ssh login fails? > And then after $max_attempts is exceeded you should see: > > IP 202.92.126.217 reached the maximum number of failed attempts!!! > Adding IP to the firewall... No, i don't see any of these messages, the only message i see is the start = of=20 the log: !!!!!!! log started at Wed Oct 5 18:53:23 2005 !!!!!!! I cannot figure what's the problem, the bruteforce table remains clean afte= r=20 the tests, but the bruteforce blocker is running in the system apparently=20 whithout any problems as i have checked with ps. Thanks