Date: Tue, 2 Nov 2010 09:56:33 -0700 From: Rob Farmer <rfarmer@predatorlabs.net> To: "Justin V." <vic@yeaguy.com> Cc: freebsd-questions@freebsd.org Subject: Re: SSHgaurd and PF Message-ID: <AANLkTikq%2BgYWD=SEY4nKboV7QUTk9DQdj2bkJ_CRpoAv@mail.gmail.com> In-Reply-To: <alpine.BSF.2.00.1011020930390.17971@yeaguy.com> References: <alpine.BSF.2.00.1011020930390.17971@yeaguy.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Nov 2, 2010 at 09:34, Justin V. <vic@yeaguy.com> wrote: > Hi, > > Would this be considered bruteforce?? Yes > > This goes on and on: > > > Nov =A02 05:42:19 yeaguy pure-ftpd: (?@a214.amber.fastwebserver.de) [WARN= ING] > Authentication failed for user [Administrator] > Nov =A02 05:42:53 yeaguy last message repeated 3 times [...] > > My sshgaurd config: Something isn't set up right if you are getting that many attempts - it should kill them right away: Nov 1 10:47:51 peridot sshd[77847]: reverse mapping checking getaddrinfo for 178-238-137-213.hostnoc.eu [178.238.137.213] failed - POSSIBLE BREAK-IN ATTEMPT! Nov 1 10:47:53 peridot sshd[77967]: reverse mapping checking getaddrinfo for 178-238-137-213.hostnoc.eu [178.238.137.213] failed - POSSIBLE BREAK-IN ATTEMPT! Nov 1 10:47:54 peridot sshd[78123]: reverse mapping checking getaddrinfo for 178-238-137-213.hostnoc.eu [178.238.137.213] failed - POSSIBLE BREAK-IN ATTEMPT! Nov 1 10:47:56 peridot sshd[78228]: reverse mapping checking getaddrinfo for 178-238-137-213.hostnoc.eu [178.238.137.213] failed - POSSIBLE BREAK-IN ATTEMPT! Nov 1 10:47:56 peridot sshguard[49177]: Blocking 178.238.137.213:4 for >420secs: 4 failures over 5 seconds. Do you have the syslog.conf part set up as well as the pf part? I've only used it for ssh but something like the following needs to be there: auth.info;authpriv.info |exec /usr/local/sbin/sshgu= ard > yeaguy# =A0nslookup =A0a214.amber.fastwebserver.de > Server: =A0 =A0 =A0 =A0 10.1.1.1 > Address: =A0 =A0 =A0 =A010.1.1.1#53 > > Non-authoritative answer: > Name: =A0 a214.amber.fastwebserver.de > Address: 217.79.189.214 > I wouldn't waste your time trying to find out who they are - just block and move on. That site is probably a shared web hosting account that was compromised by a bad php script - even if you successfully complain (assuming it is a legit hoster that cares) and they do something about it, there are thousands more. --=20 Rob Farmer
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?AANLkTikq%2BgYWD=SEY4nKboV7QUTk9DQdj2bkJ_CRpoAv>