Date: Tue, 24 Apr 2007 13:33:55 -0500 From: eculp@encontacto.net To: freebsd-pf@freebsd.org Subject: Re: preventing ssh brute force attacks, swatch and users and table Message-ID: <20070424133355.652vt8e4dcoskcgk@intranet.encontacto.net> In-Reply-To: <00b701c7869a$795c0db0$0200a8c0@satellite> References: <00b701c7869a$795c0db0$0200a8c0@satellite>
next in thread | previous in thread | raw e-mail | index | archive | help
Quoting Dave <dmehler26@woh.rr.com>: > Hello, > I've got a machine running ssh and i'm trying to cut down on =20 > brute force attacks on it. I'm running pf on a freebsd 6.2 box and =20 > have added in swatch to try to curve these attacks. The problem is =20 > nothing is being added to either the memory hackers table nor the =20 > ondisk copy of it. I know i'm getting hits because i'm seeing =20 > entries in my auth.log like this: > > Apr 21 06:18:38 zeus sshd[10609]: Did not receive identification =20 > string from 125.33.163.188 > Apr 21 06:22:55 zeus sshd[10658]: User root from 125.33.163.188 not =20 > allowed because none of user's groups are listed in AllowGroups > Apr 21 06:22:55 zeus sshd[10658]: Failed password for invalid user =20 > root from 125.33.163.188 port 54521 ssh2 > Apr 21 06:22:57 zeus sshd[10660]: User root from 125.33.163.188 not =20 > allowed because none of user's groups are listed in AllowGroups > Apr 21 06:22:57 zeus sshd[10660]: Failed password for invalid user =20 > root from 125.33.163.188 port 54727 ssh2 > Apr 24 00:52:08 zeus sshd[7746]: Failed password for invalid user =20 > root from 218.205.231.39 port 61694 ssh2 > Apr 24 00:52:11 zeus sshd[7749]: User root from 218.205.231.39 not =20 > allowed because none of user's groups are listed in AllowGroups > Apr 24 00:52:11 zeus sshd[7749]: Failed password for invalid user =20 > root from 218.205.231.39 port 61773 ssh2 > > I don't want to move my ssh, i feel these bots would just find it =20 > again. I'm also getting postfix atempts i'd like to block them both. =20 > My swatch configuration looks like this: > > rc.conf > swatch_enable=3D"YES" > swatch_rules=3D"1" > swatch_1_flags=3D"--config-file=3D/usr/local/etc/swatchrc =20 > --tail-file=3D/var/log/auth.log --daemon --pid-file=3D/var/run/swatch.pid" > swatch_1_user=3D"root" > swatch_1_chdir=3D"/var/tmp" > swatch_1_pidfile=3D"/var/run/swatch.pid" > > In pf i have a block by default policy and i've got these lines: > table <hackers> persist file "/etc/hackers" > block all > block in quick on $ext_if from <hackers> to any > > and /usr/local/etc/swatchrc calls a script that looks like: > #!/bin/sh > /sbin/pfctl -t hackers -T add $1 > /bin/echo $1 >> /etc/hackers > /usr/bin/logger swatch: $1 caught with bad login. Added to hackers pf tabl= e > > If there's a better way that i can get both ssh and smtp bots i'd =20 > like to know about it, also if my config is wrong let me know it's =20 > not working. One thing, i do not want to unblock atempted hackings, =20 > my feeling is those that do it should have no further interactions =20 > with my machines on any level. I'm pretty sure that I don't have a better way, in fact that is why =20 I'm posting it ;) but it seems to work. My rules are basically: block drop in quick on $ext_if from <ssh-bruteforce> to any block drop in quick on $ext_if from <blocksmtp> to any pass in quick on $ext_if inet proto tcp from any to ($ext_if) port =20 smtp flags S/SA keep state \ ( max-src-conn 70, max-src-conn-rate 70/90, overload <blocksmtp> =20 flush global ) pass in quick on $ext_if inet proto tcp from any to ($ext_if) port =20 $ssh_services flags S/SA keep state \ ( max-src-conn-rate 3/30, overload <ssh-bruteforce> flush global ) The connections and rates took me a couple of week to not block legit =20 smtp but it seems to be ok for my installation now. I'm not sure if the quick is good or bad but it was faster ;) Maybe this will give you another perspective, from someone less knowledgeabl= e. I also run expiretable to leave the ip's in for 24 hours and I get few =20 repeats. I've thought about not doing that but . . . . . Good luck, ed > Thanks. > Dave. > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20070424133355.652vt8e4dcoskcgk>