Date: Tue, 24 Apr 2007 13:33:55 -0500 From: eculp@encontacto.net To: freebsd-pf@freebsd.org Subject: Re: preventing ssh brute force attacks, swatch and users and table Message-ID: <20070424133355.652vt8e4dcoskcgk@intranet.encontacto.net> In-Reply-To: <00b701c7869a$795c0db0$0200a8c0@satellite> References: <00b701c7869a$795c0db0$0200a8c0@satellite>
next in thread | previous in thread | raw e-mail | index | archive | help
Quoting Dave <dmehler26@woh.rr.com>:
> Hello,
> I've got a machine running ssh and i'm trying to cut down on =20
> brute force attacks on it. I'm running pf on a freebsd 6.2 box and =20
> have added in swatch to try to curve these attacks. The problem is =20
> nothing is being added to either the memory hackers table nor the =20
> ondisk copy of it. I know i'm getting hits because i'm seeing =20
> entries in my auth.log like this:
>
> Apr 21 06:18:38 zeus sshd[10609]: Did not receive identification =20
> string from 125.33.163.188
> Apr 21 06:22:55 zeus sshd[10658]: User root from 125.33.163.188 not =20
> allowed because none of user's groups are listed in AllowGroups
> Apr 21 06:22:55 zeus sshd[10658]: Failed password for invalid user =20
> root from 125.33.163.188 port 54521 ssh2
> Apr 21 06:22:57 zeus sshd[10660]: User root from 125.33.163.188 not =20
> allowed because none of user's groups are listed in AllowGroups
> Apr 21 06:22:57 zeus sshd[10660]: Failed password for invalid user =20
> root from 125.33.163.188 port 54727 ssh2
> Apr 24 00:52:08 zeus sshd[7746]: Failed password for invalid user =20
> root from 218.205.231.39 port 61694 ssh2
> Apr 24 00:52:11 zeus sshd[7749]: User root from 218.205.231.39 not =20
> allowed because none of user's groups are listed in AllowGroups
> Apr 24 00:52:11 zeus sshd[7749]: Failed password for invalid user =20
> root from 218.205.231.39 port 61773 ssh2
>
> I don't want to move my ssh, i feel these bots would just find it =20
> again. I'm also getting postfix atempts i'd like to block them both. =20
> My swatch configuration looks like this:
>
> rc.conf
> swatch_enable=3D"YES"
> swatch_rules=3D"1"
> swatch_1_flags=3D"--config-file=3D/usr/local/etc/swatchrc =20
> --tail-file=3D/var/log/auth.log --daemon --pid-file=3D/var/run/swatch.pid"
> swatch_1_user=3D"root"
> swatch_1_chdir=3D"/var/tmp"
> swatch_1_pidfile=3D"/var/run/swatch.pid"
>
> In pf i have a block by default policy and i've got these lines:
> table <hackers> persist file "/etc/hackers"
> block all
> block in quick on $ext_if from <hackers> to any
>
> and /usr/local/etc/swatchrc calls a script that looks like:
> #!/bin/sh
> /sbin/pfctl -t hackers -T add $1
> /bin/echo $1 >> /etc/hackers
> /usr/bin/logger swatch: $1 caught with bad login. Added to hackers pf tabl=
e
>
> If there's a better way that i can get both ssh and smtp bots i'd =20
> like to know about it, also if my config is wrong let me know it's =20
> not working. One thing, i do not want to unblock atempted hackings, =20
> my feeling is those that do it should have no further interactions =20
> with my machines on any level.
I'm pretty sure that I don't have a better way, in fact that is why =20
I'm posting it ;) but it seems to work.
My rules are basically:
block drop in quick on $ext_if from <ssh-bruteforce> to any
block drop in quick on $ext_if from <blocksmtp> to any
pass in quick on $ext_if inet proto tcp from any to ($ext_if) port =20
smtp flags S/SA keep state \
( max-src-conn 70, max-src-conn-rate 70/90, overload <blocksmtp> =20
flush global )
pass in quick on $ext_if inet proto tcp from any to ($ext_if) port =20
$ssh_services flags S/SA keep state \
( max-src-conn-rate 3/30, overload <ssh-bruteforce> flush global )
The connections and rates took me a couple of week to not block legit =20
smtp but it seems to be ok for my installation now.
I'm not sure if the quick is good or bad but it was faster ;)
Maybe this will give you another perspective, from someone less knowledgeabl=
e.
I also run expiretable to leave the ip's in for 24 hours and I get few =20
repeats. I've thought about not doing that but . . . . .
Good luck,
ed
> Thanks.
> Dave.
>
> _______________________________________________
> freebsd-pf@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-pf
> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org"
>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20070424133355.652vt8e4dcoskcgk>