From owner-freebsd-questions@FreeBSD.ORG Tue Nov 2 16:35:13 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 94FA9106566C for ; Tue, 2 Nov 2010 16:35:13 +0000 (UTC) (envelope-from vic@yeaguy.com) Received: from hrndva-omtalb.mail.rr.com (hrndva-omtalb.mail.rr.com [71.74.56.123]) by mx1.freebsd.org (Postfix) with ESMTP id 575088FC18 for ; Tue, 2 Nov 2010 16:35:07 +0000 (UTC) X-Authority-Analysis: v=1.1 cv=+c36koQ5Dcj/1qolKHjtkYAGXvrVJRRiKMp+84F5sLg= c=1 sm=0 a=kj9zAlcOel0A:10 a=K3oiwSFwsX5fJWoDMELOCw==:17 a=PKzKJ9CDBTgXrBVWYPIA:9 a=ka7cM0VA33E3eUZt-LUA:7 a=VB9_QHybgJJIARY8m6V4bxpLWwQA:4 a=CjuIK1q_8ugA:10 a=THA9MvWw29MSY6Ir:21 a=GM03C8Bk4695QsK3:21 a=K3oiwSFwsX5fJWoDMELOCw==:117 X-Cloudmark-Score: 0 X-Originating-IP: 67.49.120.184 Received: from [67.49.120.184] ([67.49.120.184:15105] helo=[192.168.1.169]) by hrndva-oedge03.mail.rr.com (envelope-from ) (ecelerity 2.2.3.46 r()) with ESMTP id CE/DB-24070-EAD30DC4; Tue, 02 Nov 2010 16:34:54 +0000 Date: Tue, 2 Nov 2010 09:34:50 -0700 (PDT) From: "Justin V." To: freebsd-questions@freebsd.org Message-ID: User-Agent: Alpine 2.00 (BSF 1167 2008-08-23) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; format=flowed; charset=US-ASCII Subject: SSHgaurd and PF X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 02 Nov 2010 16:35:13 -0000 Hi, Would this be considered bruteforce?? This goes on and on: Nov 2 05:42:19 yeaguy pure-ftpd: (?@a214.amber.fastwebserver.de) [WARNING] Authentication failed for user [Administrator] Nov 2 05:42:53 yeaguy last message repeated 3 times Nov 2 05:43:11 yeaguy pure-ftpd: (?@a214.amber.fastwebserver.de) [WARNING] Authentication failed for user [Administrator] Nov 2 05:43:31 yeaguy pure-ftpd: (?@a214.amber.fastwebserver.de) [ERROR] Too many authentication failures Nov 2 05:43:35 yeaguy pure-ftpd: (?@a214.amber.fastwebserver.de) [WARNING] Authentication failed for user [Administrator] Nov 2 05:43:54 yeaguy last message repeated 2 times Nov 2 05:44:27 yeaguy last message repeated 2 times Nov 2 05:44:47 yeaguy pure-ftpd: (?@a214.amber.fastwebserver.de) [ERROR] Too many authentication failures Nov 2 05:44:53 yeaguy pure-ftpd: (?@a214.amber.fastwebserver.de) [WARNING] Authentication failed for user [Administrator] Nov 2 05:45:27 yeaguy last message repeated 3 times Nov 2 05:45:44 yeaguy pure-ftpd: (?@a214.amber.fastwebserver.de) [WARNING] Authentication failed for user [Administrator] Nov 2 05:46:05 yeaguy pure-ftpd: (?@a214.amber.fastwebserver.de) [ERROR] Too many authentication failures Nov 2 05:46:12 yeaguy pure-ftpd: (?@a214.amber.fastwebserver.de) [WARNING] Authentication failed for user [Administrator] Nov 2 05:46:47 yeaguy last message repeated 3 times Nov 2 05:47:03 yeaguy pure-ftpd: (?@a214.amber.fastwebserver.de) [WARNING] Authentication failed for user [Administrator] Nov 2 05:47:24 yeaguy pure-ftpd: (?@a214.amber.fastwebserver.de) [ERROR] Too many authentication failures Nov 2 05:47:31 yeaguy pure-ftpd: (?@a214.amber.fastwebserver.de) [WARNING] Authentication failed for user [Administrator] Nov 2 05:48:06 yeaguy last message repeated 3 times Nov 2 05:48:24 yeaguy pure-ftpd: (?@a214.amber.fastwebserver.de) [WARNING] Authentication failed for user [Administrator] Nov 2 05:48:45 yeaguy pure-ftpd: (?@a214.amber.fastwebserver.de) [ERROR] Too many authentication failures Nov 2 05:48:50 yeaguy pure-ftpd: (?@a214.amber.fastwebserver.de) [WARNING] Authentication failed for user [Administrator] Nov 2 05:49:25 yeaguy last message repeated 3 times Nov 2 05:49:42 yeaguy pure-ftpd: (?@a214.amber.fastwebserver.de) [WARNING] Authentication failed for user [Administrator] Nov 2 05:50:01 yeaguy pure-ftpd: (?@a214.amber.fastwebserver.de) [ERROR] Too many authentication failures Nov 2 05:50:08 yeaguy pure-ftpd: (?@a214.amber.fastwebserver.de) [WARNING] Authentication failed for user [Administrator] Nov 2 05:50:40 yeaguy last message repeated 3 times Nov 2 05:50:58 yeaguy pure-ftpd: (?@a214.amber.fastwebserver.de) [WARNING] Authentication failed for user [Administrator] Nov 2 05:51:20 yeaguy pure-ftpd: (?@a214.amber.fastwebserver.de) [ERROR] Too many authentication failures Nov 2 05:51:25 yeaguy pure-ftpd: (?@a214.amber.fastwebserver.de) [WARNING] Authentication failed for user [Administrator] Nov 2 05:51:59 yeaguy last message repeated 3 times Nov 2 05:52:16 yeaguy pure-ftpd: (?@a214.amber.fastwebserver.de) [WARNING] Authentication failed for user [Administrator] My sshgaurd config: # $FreeBSD: src/share/examples/pf/pf.conf,v 1.1.4.1.4.1 2010/06/14 02:09:06 kensmith Exp $ # $OpenBSD: pf.conf,v 1.34 2007/02/24 19:30:59 millert Exp $ # # See pf.conf(5) and /usr/share/examples/pf for syntax and examples. # Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1 # in /etc/sysctl.conf if packets are to be forwarded between interfaces. ext_if="wlan0" #int_if="int0" #table persist table persist #set skip on lo #scrub in #nat-anchor "ftp-proxy/*" #rdr-anchor "ftp-proxy/*" #nat on $ext_if from !($ext_if) -> ($ext_if:0) #rdr pass on $int_if proto tcp to port ftp -> 127.0.0.1 port 8021 #no rdr on $ext_if proto tcp from to any port smtp #rdr pass on $ext_if proto tcp from any to any port smtp \ # -> 127.0.0.1 port spamd #anchor "ftp-proxy/*" #block in block in log quick on $ext_if from label "bruteforce" #pass out #pass quick on $int_if no state #antispoof quick for { lo $int_if } #pass in on $ext_if proto tcp to ($ext_if) port ssh #pass in log on $ext_if proto tcp to ($ext_if) port smtp #pass out log on $ext_if proto tcp from ($ext_if) to port smtp LOGS: yeaguy# nslookup a214.amber.fastwebserver.de Server: 10.1.1.1 Address: 10.1.1.1#53 Non-authoritative answer: Name: a214.amber.fastwebserver.de Address: 217.79.189.214 yeaguy# tcpdump -n -e -ttt -r /var/log/pflog | grep 217.79.189.214 reading from file /var/log/pflog, link-type PFLOG (OpenBSD pflog file) yeaguy# Thanks, Justin