From owner-freebsd-questions@FreeBSD.ORG Sun Nov 2 16:12:47 2014 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 87520B65 for ; Sun, 2 Nov 2014 16:12:47 +0000 (UTC) Received: from smtprelay-b22.telenor.se (smtprelay-b22.telenor.se [195.54.99.213]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 00D08684 for ; Sun, 2 Nov 2014 16:12:46 +0000 (UTC) Received: from ipb4.telenor.se (ipb4.telenor.se [195.54.127.167]) by smtprelay-b22.telenor.se (Postfix) with ESMTP id C764BEC5B for ; Sun, 2 Nov 2014 16:44:50 +0100 (CET) X-SENDER-IP: [83.227.225.121] X-LISTENER: [smtp.bredband.net] X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: AioHACZQVlRT4+F5PGdsb2JhbABcgw4BU1i9To86C4hkFwEBAQEBAQUBAQEBODuEX180BRkMCg4fiEUBpUCkAZREgR4Fj3uGbocXAYExPYZCj3OCJjwvAYJKAQEB X-IPAS-Result: AioHACZQVlRT4+F5PGdsb2JhbABcgw4BU1i9To86C4hkFwEBAQEBAQUBAQEBODuEX180BRkMCg4fiEUBpUCkAZREgR4Fj3uGbocXAYExPYZCj3OCJjwvAYJKAQEB X-IronPort-AV: E=Sophos;i="5.07,295,1413237600"; d="scan'208";a="675439425" Received: from ua-83-227-225-121.cust.bredbandsbolaget.se (HELO ymer.thorshammare.org) ([83.227.225.121]) by ipb4.telenor.se with ESMTP; 02 Nov 2014 16:44:50 +0100 Received: from ymer.thorshammare.org (localhost [127.0.0.1]) by ymer.thorshammare.org (8.14.9/8.14.9) with ESMTP id sA2Fiie1043052 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for ; Sun, 2 Nov 2014 16:44:47 +0100 (CET) (envelope-from hasse@ymer.thorshammare.org) Received: (from hasse@localhost) by ymer.thorshammare.org (8.14.9/8.14.9/Submit) id sA2FiifN043051 for freebsd-questions@freebsd.org; Sun, 2 Nov 2014 16:44:44 +0100 (CET) (envelope-from hasse) Date: Sun, 2 Nov 2014 16:44:44 +0100 From: Hasse Hansson To: freebsd-questions@freebsd.org Subject: sshguard pf Message-ID: <20141102154444.GA42429@ymer.thorshammare.org> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="YiEDa0DAkWCtVeE4" Content-Disposition: inline User-Agent: Mutt/1.5.23 (2014-03-12) X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 02 Nov 2014 16:12:47 -0000 --YiEDa0DAkWCtVeE4 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hello uname -a FreeBSD ymer.thorshammare.org 10.1-RC3 FreeBSD 10.1-RC3 #0 r273437: Wed Oct= 22 01:27:10 UTC 2014=20 root@releng1.nyi.freebsd.org:/usr/obj/usr/src/sys/GENERIC i386 I have a bit problems to get some bots blocked. I'm running pf and sshguard= =2E Even tried fail2ban Below is a snippet from my auth.log showing sshguard blocking som IPs, but = nor the bot scans. Both tables abusers and sshguard are empty and allways was. This junk is filling up my logfiles.=20 Any clues what I'm doing wrong or missing ?=20 I'm running two crontabs : # Sshguard 0/1 * * * * root pfctl -t sshguard -T show >/et= c/sshguard 2>/dev/null # # Bruteforce ssh 0/2 * * * * root pfctl -t abusers -T show >/etc= /abusers 2>/dev/null In /etc/ssh/sshd_config I've uncommented : Port 22 AddressFamily any Protocol 2 SyslogFacility AUTH LogLevel INFO # Authentication: LoginGraceTime 1m PermitRootLogin no StrictModes yes MaxAuthTries 5 MaxSessions 10 PasswordAuthentication no PermitEmptyPasswords no ChallengeResponseAuthentication no MaxStartups 10:30:100 In my /etc/rc.conf I have : pf_enable=3D"YES" pflog_enable=3D"YES" pflog_logfile=3D"/var/log/pflog" sshguard_enable=3D"YES" sshguard_safety_thresh=3D"30" sshguard_pardon_min_interval=3D"600" sshguard_prescribe_interval=3D"7200" In /etc/pf.conf : ext_if=3D"fxp0" int_if=3D"xl0" webports=3D"{ http, https }" table counters persist table persist set skip on lo scrub in block in pass out block quick from to any block drop in log quick on $ext_if inet from to any pass in on $ext_if proto tcp to any port ssh flags S/SA keep state (max-src= -conn 10, max-src-conn-rate 2/120, overload flush) antispoof quick for { lo $ext_if $int_if } pass in on $ext_if proto tcp to ($ext_if) port ssh pass in log on $ext_if proto tcp to ($ext_if) port smtp pass out log on $ext_if proto tcp from ($ext_if) to port smtp pass in log on $ext_if proto tcp to ($ext_if) port $webports pass out log on $ext_if proto tcp from ($ext_if) to port $webports pass in on $ext_if inet proto icmp from any to ($ext_if) icmp-type { unreac= h, redir, timex } Nov 2 07:51:13 ymer sshguard[19225]: Blocking 103.27.24.106:4 for >900secs= : 30 danger in 3 attacks over 18 seconds (all: 30d in 1 abuses over 18s). Nov 2 10:35:35 ymer sshguard[19225]: Blocking 60.190.71.52:4 for >900secs:= 30 danger in 3 attacks over 8 seconds (all: 30d in 1 abuses over 8s). Nov 2 11:09:50 ymer sshguard[19225]: Blocking 122.225.97.105:4 for >900sec= s: 30 danger in 3 attacks over 65 seconds (all: 30d in 1 abuses over 65s). Nov 2 13:10:52 ymer sshguard[19225]: Blocking 50.30.32.19:4 for >900secs: = 30 danger in 3 attacks over 4 seconds (all: 30d in 1 abuses over 4s). Nov 2 14:34:55 ymer sshguard[19225]: Blocking 61.174.51.212:4 for >900secs= : 30 danger in 3 attacks over 69 seconds (all: 30d in 1 abuses over 69s). Nov 2 16:32:09 ymer sshd[42957]: Connection from 202.109.143.110 port 3453= on 192.168.1.2 port 22 Nov 2 16:32:13 ymer sshd[42957]: Disconnecting: Too many authentication fa= ilures for root [preauth] Nov 2 16:32:14 ymer sshd[42959]: Connection from 202.109.143.110 port 2838= on 192.168.1.2 port 22 Nov 2 16:32:17 ymer sshd[42959]: Disconnecting: Too many authentication fa= ilures for root [preauth] Nov 2 16:32:21 ymer sshd[42961]: Connection from 202.109.143.110 port 3611= on 192.168.1.2 port 22 Nov 2 16:32:34 ymer sshd[42961]: Disconnecting: Too many authentication fa= ilures for root [preauth] Nov 2 16:32:41 ymer sshd[42963]: Connection from 202.109.143.110 port 2507= on 192.168.1.2 port 22 Nov 2 16:32:48 ymer sshd[42963]: Disconnecting: Too many authentication fa= ilures for root [preauth] Nov 2 16:32:49 ymer sshd[42965]: Connection from 202.109.143.110 port 4650= on 192.168.1.2 port 22 Nov 2 16:32:52 ymer sshd[42965]: Disconnecting: Too many authentication fa= ilures for root [preauth] Nov 2 16:32:52 ymer sshd[42967]: Connection from 202.109.143.110 port 4650= on 192.168.1.2 port 22 Nov 2 16:33:01 ymer sshd[42967]: Disconnecting: Too many authentication fa= ilures for root [preauth] Nov 2 16:33:02 ymer sshd[42983]: Connection from 202.109.143.110 port 4316= on 192.168.1.2 port 22 Nov 2 16:33:12 ymer sshd[42983]: Disconnecting: Too many authentication fa= ilures for root [preauth] Nov 2 16:33:18 ymer sshd[42985]: Connection from 202.109.143.110 port 2539= on 192.168.1.2 port 22 Nov 2 16:33:27 ymer sshd[42985]: Disconnecting: Too many authentication fa= ilures for root [preauth] Nov 2 16:33:28 ymer sshd[42987]: Connection from 202.109.143.110 port 4555= on 192.168.1.2 port 22 Nov 2 16:33:35 ymer sshd[42987]: Disconnecting: Too many authentication fa= ilures for root [preauth] Nov 2 16:33:38 ymer sshd[42989]: Connection from 202.109.143.110 port 3164= on 192.168.1.2 port 22 Nov 2 16:33:43 ymer sshd[42989]: Disconnecting: Too many authentication fa= ilures for root [preauth] Nov 2 16:33:43 ymer sshd[42991]: Connection from 202.109.143.110 port 4749= on 192.168.1.2 port 22 Nov 2 16:33:52 ymer sshd[42991]: fatal: Read from socket failed: Connectio= n reset by peer [preauth] Best Regards Hasse. --YiEDa0DAkWCtVeE4 Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBAgAGBQJUVlFsAAoJELatlRZF6goTuIIIAIL18DVJtxewxKZ7Zo3geIR2 Pr+h5UbYDrJreokQT/0mW0SB/ZtDclrA3mfDjErPfGS2SUh924/uu3CjKiRcaqWq XnMYufgwAWJGQIm3xOQop+07lhLbKpE8xlT/FCcvCmPRPtm4v+jv9Be7/MnKhLe/ 0Au2dZBlJk8z75kktMzY7cQ4UOlbULutj+yAhWphOfttt3FsKQE+coi2v4MiaDZm yhGXZ3bCJoqrT/YEdFKUzL1ITvxntKcjLbHuDMsdxIAZQC8DC1kB9ykpsJqC/xuM SECxiUBKi4jB7+dE2p60fNr58xp5f+EBC/VFfluoG6e4o7mqWk2KYDdDBfbTqSo= =PNNJ -----END PGP SIGNATURE----- --YiEDa0DAkWCtVeE4--