From owner-freebsd-questions@FreeBSD.ORG Tue Nov 2 17:03:15 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id EB7BD106564A for ; Tue, 2 Nov 2010 17:03:14 +0000 (UTC) (envelope-from vic@yeaguy.com) Received: from hrndva-omtalb.mail.rr.com (hrndva-omtalb.mail.rr.com [71.74.56.124]) by mx1.freebsd.org (Postfix) with ESMTP id A48E38FC0A for ; Tue, 2 Nov 2010 17:03:14 +0000 (UTC) X-Authority-Analysis: v=1.1 cv=6ptpMFIBtxRk0xdOb6IhJTbTLVRlKjWFes7R4SsWCrA= c=1 sm=0 a=K3oiwSFwsX5fJWoDMELOCw==:17 a=iOhrDboYAAAA:8 a=fQfmUbWOAAAA:8 a=6I5d2MoRAAAA:8 a=LfvH3UrpAAAA:8 a=8hatjc3sSTX5aTJG9akA:9 a=H5Povo_pettYwQzelf8A:7 a=07ShRVfgJGRZuI79r-WZcyNQ0KEA:4 a=wPNLvfGTeEIA:10 a=9dkskfOryOwA:10 a=-_C46MR6lL4A:10 a=r1Rw5q6XLFEA:10 a=SV7veod9ZcQA:10 a=oWjAShNCytsmTrYx:21 a=UCdzXoRO-VnWARcm:21 a=K3oiwSFwsX5fJWoDMELOCw==:117 X-Cloudmark-Score: 0 X-Originating-IP: 67.49.120.184 Received: from [67.49.120.184] ([67.49.120.184:36237] helo=[192.168.1.169]) by hrndva-oedge01.mail.rr.com (envelope-from ) (ecelerity 2.2.3.46 r()) with ESMTP id B7/4D-26142-15440DC4; Tue, 02 Nov 2010 17:03:13 +0000 Date: Tue, 2 Nov 2010 10:03:11 -0700 (PDT) From: "Justin V." To: Rob Farmer In-Reply-To: Message-ID: References: User-Agent: Alpine 2.00 (BSF 1167 2008-08-23) MIME-Version: 1.0 Content-Type: MULTIPART/MIXED; BOUNDARY="623271173-1366268797-1288717392=:18489" Cc: freebsd-questions@freebsd.org Subject: Re: SSHgaurd and PF X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 02 Nov 2010 17:03:15 -0000 This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. --623271173-1366268797-1288717392=:18489 Content-Type: TEXT/PLAIN; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8BIT On Tue, 2 Nov 2010, Rob Farmer wrote: > On Tue, Nov 2, 2010 at 09:34, Justin V. wrote: >> Hi, >> >> Would this be considered bruteforce?? > > Yes > >> >> This goes on and on: >> >> >> Nov  2 05:42:19 yeaguy pure-ftpd: (?@a214.amber.fastwebserver.de) [WARNING] >> Authentication failed for user [Administrator] >> Nov  2 05:42:53 yeaguy last message repeated 3 times > [...] >> >> My sshgaurd config: > > Something isn't set up right if you are getting that many attempts - > it should kill them right away: > > Nov 1 10:47:51 peridot sshd[77847]: reverse mapping checking > getaddrinfo for 178-238-137-213.hostnoc.eu [178.238.137.213] failed - > POSSIBLE BREAK-IN ATTEMPT! > Nov 1 10:47:53 peridot sshd[77967]: reverse mapping checking > getaddrinfo for 178-238-137-213.hostnoc.eu [178.238.137.213] failed - > POSSIBLE BREAK-IN ATTEMPT! > Nov 1 10:47:54 peridot sshd[78123]: reverse mapping checking > getaddrinfo for 178-238-137-213.hostnoc.eu [178.238.137.213] failed - > POSSIBLE BREAK-IN ATTEMPT! > Nov 1 10:47:56 peridot sshd[78228]: reverse mapping checking > getaddrinfo for 178-238-137-213.hostnoc.eu [178.238.137.213] failed - > POSSIBLE BREAK-IN ATTEMPT! > Nov 1 10:47:56 peridot sshguard[49177]: Blocking 178.238.137.213:4 > for >420secs: 4 failures over 5 seconds. > > Do you have the syslog.conf part set up as well as the pf part? I've > only used it for ssh but something like the following needs to be > there: > > auth.info;authpriv.info |exec /usr/local/sbin/sshguard > >> yeaguy#  nslookup  a214.amber.fastwebserver.de >> Server:         10.1.1.1 >> Address:        10.1.1.1#53 >> >> Non-authoritative answer: >> Name:   a214.amber.fastwebserver.de >> Address: 217.79.189.214 >> > > I wouldn't waste your time trying to find out who they are - just > block and move on. That site is probably a shared web hosting account > that was compromised by a bad php script - even if you successfully > complain (assuming it is a legit hoster that cares) and they do > something about it, there are thousands more. > > -- > Rob Farmer > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" > This is the guide I used: http://www.sshguard.net/docs/setup/firewall/pf/ I followed this section to block all brute attempts: Add this line in the packet filtering (rules) section: block in quick on $ext_if proto tcp from to any port 22 label "ssh bruteforce" Replace $ext_if with your WAN interface name if needed. Omit the proto tcp and the to any port 22 segment if you want to block all the traffic from attackers (not just ssh). I really like this port, just keeps the logs from filling up.. Im not going to email their abuse desk just wishing that sshguard would do what I expected it to do via the how to.. :( --623271173-1366268797-1288717392=:18489--