From owner-freebsd-questions@FreeBSD.ORG Tue Nov 2 16:56:34 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7869310657C0 for ; Tue, 2 Nov 2010 16:56:34 +0000 (UTC) (envelope-from rfarmer@predatorlabs.net) Received: from mail-iw0-f182.google.com (mail-iw0-f182.google.com [209.85.214.182]) by mx1.freebsd.org (Postfix) with ESMTP id 4B48D8FC28 for ; Tue, 2 Nov 2010 16:56:34 +0000 (UTC) Received: by iwn39 with SMTP id 39so8676384iwn.13 for ; Tue, 02 Nov 2010 09:56:33 -0700 (PDT) MIME-Version: 1.0 Received: by 10.231.13.201 with SMTP id d9mr7935370iba.152.1288716993437; Tue, 02 Nov 2010 09:56:33 -0700 (PDT) Received: by 10.220.187.71 with HTTP; Tue, 2 Nov 2010 09:56:33 -0700 (PDT) X-Originating-IP: [128.95.133.181] In-Reply-To: References: Date: Tue, 2 Nov 2010 09:56:33 -0700 Message-ID: From: Rob Farmer To: "Justin V." Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: freebsd-questions@freebsd.org Subject: Re: SSHgaurd and PF X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 02 Nov 2010 16:56:34 -0000 On Tue, Nov 2, 2010 at 09:34, Justin V. wrote: > Hi, > > Would this be considered bruteforce?? Yes > > This goes on and on: > > > Nov =A02 05:42:19 yeaguy pure-ftpd: (?@a214.amber.fastwebserver.de) [WARN= ING] > Authentication failed for user [Administrator] > Nov =A02 05:42:53 yeaguy last message repeated 3 times [...] > > My sshgaurd config: Something isn't set up right if you are getting that many attempts - it should kill them right away: Nov 1 10:47:51 peridot sshd[77847]: reverse mapping checking getaddrinfo for 178-238-137-213.hostnoc.eu [178.238.137.213] failed - POSSIBLE BREAK-IN ATTEMPT! Nov 1 10:47:53 peridot sshd[77967]: reverse mapping checking getaddrinfo for 178-238-137-213.hostnoc.eu [178.238.137.213] failed - POSSIBLE BREAK-IN ATTEMPT! Nov 1 10:47:54 peridot sshd[78123]: reverse mapping checking getaddrinfo for 178-238-137-213.hostnoc.eu [178.238.137.213] failed - POSSIBLE BREAK-IN ATTEMPT! Nov 1 10:47:56 peridot sshd[78228]: reverse mapping checking getaddrinfo for 178-238-137-213.hostnoc.eu [178.238.137.213] failed - POSSIBLE BREAK-IN ATTEMPT! Nov 1 10:47:56 peridot sshguard[49177]: Blocking 178.238.137.213:4 for >420secs: 4 failures over 5 seconds. Do you have the syslog.conf part set up as well as the pf part? I've only used it for ssh but something like the following needs to be there: auth.info;authpriv.info |exec /usr/local/sbin/sshgu= ard > yeaguy# =A0nslookup =A0a214.amber.fastwebserver.de > Server: =A0 =A0 =A0 =A0 10.1.1.1 > Address: =A0 =A0 =A0 =A010.1.1.1#53 > > Non-authoritative answer: > Name: =A0 a214.amber.fastwebserver.de > Address: 217.79.189.214 > I wouldn't waste your time trying to find out who they are - just block and move on. That site is probably a shared web hosting account that was compromised by a bad php script - even if you successfully complain (assuming it is a legit hoster that cares) and they do something about it, there are thousands more. --=20 Rob Farmer