From owner-freebsd-questions@FreeBSD.ORG Thu Oct 6 19:56:21 2005 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 41E7316A41F for ; Thu, 6 Oct 2005 19:56:21 +0000 (GMT) (envelope-from noeldude@gmail.com) Received: from wproxy.gmail.com (wproxy.gmail.com [64.233.184.201]) by mx1.FreeBSD.org (Postfix) with ESMTP id CCB1B43D45 for ; Thu, 6 Oct 2005 19:56:20 +0000 (GMT) (envelope-from noeldude@gmail.com) Received: by wproxy.gmail.com with SMTP id 71so223995wra for ; Thu, 06 Oct 2005 12:56:20 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=XNYHlEWkaDzwQdjAUNf30ER405stWCeWms8lzAQeIDDpSSV8sDE2DK3kNwD78ZXlpDcVPxgH6c1w3lEyTvAA6o1OiUT5tR9sCKs3rRyroBgB2Dli/KynvuWi0d92NviNWX9/9She4OceJRinPxMia8PE9RwxZ7j95QJeZo/Qrbg= Received: by 10.54.71.5 with SMTP id t5mr1568890wra; Thu, 06 Oct 2005 12:56:20 -0700 (PDT) Received: by 10.54.83.4 with HTTP; Thu, 6 Oct 2005 12:56:20 -0700 (PDT) Message-ID: Date: Thu, 6 Oct 2005 14:56:20 -0500 From: Noel Jones To: freebsd-questions@freebsd.org In-Reply-To: <200510060907.57922.eayesta@portugalete.uned.es> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: <200510051204.54331.eayesta@portugalete.uned.es> <200510060907.57922.eayesta@portugalete.uned.es> Subject: Re: bruteforceblocker + PF X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Noel Jones List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 06 Oct 2005 19:56:21 -0000 On 10/6/05, Enrique Ayesta Perojo wrote: > El Mi=E9rcoles, 5 de Octubre de 2005 21:53, Noel Jones escribi=F3: > > > I'm going to assume this is just a small part of your pf.conf, because > > the part you show doesn't allow any internet access. Maybe you should > > show us your entire pf.conf. > This simple pf config should work. > No, i don't see any of these messages, the only message i see is the star= t of > the log: > > !!!!!!! log started at Wed Oct 5 18:53:23 2005 !!!!!!! > I manually installed bruteforceblocker 1.1 (later noticed it's in ports/security) and when it starts, it looks like: ------- log started at Wed Oct 5 13:13:01 2005 ------- So it appears that your software is different from mine. Are you also seeing sshd logging information about failed and accepted login attempts? One thing I did notice was that all the lines in the bruteforceblocker.pl script ended with ^M. So I used vi to remove them. I don't know if that is part of your problem or not, but it's something you might check. FWIW, after making the suggested change to my syslog.conf file and editing the file locations in the bruteforceblocker.pl script, it worked first try here. The only other suggestion I have is to check your /etc/syslog.conf changes. Find the line that looks like: auth.info;authpriv.info /var/log/auth.log and change it to: auth.info;authpriv.info | exec /usr/local/sbin/bruteforceblocker.pl -- Noel Jones