From owner-freebsd-pf@FreeBSD.ORG Tue Apr 24 18:00:31 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id C99E216A403 for ; Tue, 24 Apr 2007 18:00:31 +0000 (UTC) (envelope-from dmehler26@woh.rr.com) Received: from ms-smtp-04.ohiordc.rr.com (ms-smtp-04.ohiordc.rr.com [65.24.5.138]) by mx1.freebsd.org (Postfix) with ESMTP id 7B03C13C4AE for ; Tue, 24 Apr 2007 18:00:31 +0000 (UTC) (envelope-from dmehler26@woh.rr.com) Received: from satellite (cpe-71-64-129-15.woh.res.rr.com [71.64.129.15]) by ms-smtp-04.ohiordc.rr.com (8.13.6/8.13.6) with SMTP id l3OI0TFj002872 for ; Tue, 24 Apr 2007 14:00:30 -0400 (EDT) Message-ID: <00b701c7869a$795c0db0$0200a8c0@satellite> From: "Dave" To: Date: Tue, 24 Apr 2007 14:00:41 -0400 MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset="iso-8859-1"; reply-type=original Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.3028 X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2900.3028 X-Virus-Scanned: Symantec AntiVirus Scan Engine Subject: preventing ssh brute force attacks, swatch and users and table X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Dave List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 24 Apr 2007 18:00:31 -0000 Hello, I've got a machine running ssh and i'm trying to cut down on brute force attacks on it. I'm running pf on a freebsd 6.2 box and have added in swatch to try to curve these attacks. The problem is nothing is being added to either the memory hackers table nor the ondisk copy of it. I know i'm getting hits because i'm seeing entries in my auth.log like this: Apr 21 06:18:38 zeus sshd[10609]: Did not receive identification string from 125.33.163.188 Apr 21 06:22:55 zeus sshd[10658]: User root from 125.33.163.188 not allowed because none of user's groups are listed in AllowGroups Apr 21 06:22:55 zeus sshd[10658]: Failed password for invalid user root from 125.33.163.188 port 54521 ssh2 Apr 21 06:22:57 zeus sshd[10660]: User root from 125.33.163.188 not allowed because none of user's groups are listed in AllowGroups Apr 21 06:22:57 zeus sshd[10660]: Failed password for invalid user root from 125.33.163.188 port 54727 ssh2 Apr 24 00:52:08 zeus sshd[7746]: Failed password for invalid user root from 218.205.231.39 port 61694 ssh2 Apr 24 00:52:11 zeus sshd[7749]: User root from 218.205.231.39 not allowed because none of user's groups are listed in AllowGroups Apr 24 00:52:11 zeus sshd[7749]: Failed password for invalid user root from 218.205.231.39 port 61773 ssh2 I don't want to move my ssh, i feel these bots would just find it again. I'm also getting postfix atempts i'd like to block them both. My swatch configuration looks like this: rc.conf swatch_enable="YES" swatch_rules="1" swatch_1_flags="--config-file=/usr/local/etc/swatchrc --tail-file=/var/log/auth.log --daemon --pid-file=/var/run/swatch.pid" swatch_1_user="root" swatch_1_chdir="/var/tmp" swatch_1_pidfile="/var/run/swatch.pid" In pf i have a block by default policy and i've got these lines: table persist file "/etc/hackers" block all block in quick on $ext_if from to any and /usr/local/etc/swatchrc calls a script that looks like: #!/bin/sh /sbin/pfctl -t hackers -T add $1 /bin/echo $1 >> /etc/hackers /usr/bin/logger swatch: $1 caught with bad login. Added to hackers pf table If there's a better way that i can get both ssh and smtp bots i'd like to know about it, also if my config is wrong let me know it's not working. One thing, i do not want to unblock atempted hackings, my feeling is those that do it should have no further interactions with my machines on any level. Thanks. Dave.