From owner-freebsd-questions@FreeBSD.ORG Thu Oct 6 20:37:11 2005 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 03DD816A41F for ; Thu, 6 Oct 2005 20:37:11 +0000 (GMT) (envelope-from danger@rulez.sk) Received: from mail.rulez.sk (DaEmoN.RuLeZ.sK [84.16.32.226]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2E46943D46 for ; Thu, 6 Oct 2005 20:37:10 +0000 (GMT) (envelope-from danger@rulez.sk) Received: from localhost (localhost [127.0.0.1]) by mail.rulez.sk (Postfix) with ESMTP id 652DD1CD77; Thu, 6 Oct 2005 22:37:06 +0200 (CEST) Received: from danger.mcrn.sk (danger.mcrn.sk [84.16.37.254]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by mail.rulez.sk (Postfix) with ESMTP id 8DEC11CD7F; Thu, 6 Oct 2005 22:37:02 +0200 (CEST) Date: Thu, 6 Oct 2005 22:35:06 +0200 From: Daniel Gerzo X-Mailer: The Bat! (v3.5) UNREG / CD5BF9353B3B7091 X-Priority: 3 (Normal) Message-ID: <1475883194.20051006223506@rulez.sk> To: "Dave" In-Reply-To: <000b01c5cab3$ef6493f0$0900a8c0@satellite> References: <000b01c5cab3$ef6493f0$0900a8c0@satellite> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Virus-Scanned: by amavisd-new at mail.rulez.sk X-Spam-Status: No, score=-3.446 tagged_above=-999 required=5 tests=[ALL_TRUSTED=-1.8, AWL=0.953, BAYES_00=-2.599] X-Spam-Score: -3.446 X-Spam-Level: Cc: freebsd-questions@freebsd.org Subject: Re[2]: bruteforceblocker + PF X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Daniel Gerzo List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 06 Oct 2005 20:37:11 -0000 Hi Dave, Thursday, October 6, 2005, 10:24:20 PM, you wrote about: > Hello, > I've got bruetforceblocker going with pf, i just installed the port. My > box is a 5.4 machine. I have it going on my lan server, which does ssh for > my network, it's the box you'll hit if you ssh in as opposed to the firewall > box. It's adding ip's to the table, but it's doing it staggeringly, i see > activity in my logs where atempts are made and then the IP's keep coming > back as if they're not being blocked. I'm running BruteForceBlocker on a bunch of the boxes and I have no problem with it. can you check the pf table, if it is growing? Can you also see messages like: User root from 67.15.192.35 not allowed because not listed in AllowUsers 67.15.192.35 was logged with total count of 1. Failed password for invalid user root from 67.15.192.35 port 36082 ssh2 67.15.192.35 was logged with total count of 2. User root from 67.15.192.35 not allowed because not listed in AllowUsers 67.15.192.35 was logged with total count of 3. Failed password for invalid user root from 67.15.192.35 port 36111 ssh2 IP 67.15.192.35 reached the maximum number of failed attempts!!! Adding IP to the firewall... in your auth logfile? If you want to check the pf table use command like: # pfctl -t bruteforce -T show > Thanks. > Dave. -- Best Regards, Daniel Gerzo