From owner-freebsd-questions@FreeBSD.ORG Thu Nov 4 14:18:14 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 722DA1065674 for ; Thu, 4 Nov 2010 14:18:14 +0000 (UTC) (envelope-from kraduk@gmail.com) Received: from mail-wy0-f182.google.com (mail-wy0-f182.google.com [74.125.82.182]) by mx1.freebsd.org (Postfix) with ESMTP id F181E8FC15 for ; Thu, 4 Nov 2010 14:18:13 +0000 (UTC) Received: by wyb34 with SMTP id 34so27527wyb.13 for ; Thu, 04 Nov 2010 07:18:13 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:in-reply-to :references:date:message-id:subject:from:to:cc:content-type; bh=eOgB1REhNpSc1aN6oVbKCKr9GvIxciILWzcFpfzKHGQ=; b=p0JOh1sHZ9mPek6cufkbqfLTyM/9Op5y6vTByQy4oTWsd2gFEeLChu+0cS20pRNnQ2 zjhB6jjGYP7g6/UStif6og1JfgXvq9Yl/WhzbiRp6e38MdjP5vY34/UX9BWjft9idCvW iTpG8jevHFCf7vPyMTVx/ejAHG9D9GRrIVKlw= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=OmILahiA9lCwBEoC6u5hnmpugbJAk99EMiAGFSpbF0g2j41kUDzk74HyR2lAXaJheu GPN7FL6JuwjrpTMzxT9U1ezrnFH/J9UYPX8dK9DmUb9v2WB+ty2TQX83aSuK3tIyVXl1 tmAWUBRRUBw3IgaMjnM+veV1rek2MulMWJgTQ= MIME-Version: 1.0 Received: by 10.227.129.83 with SMTP id n19mr828344wbs.33.1288880291978; Thu, 04 Nov 2010 07:18:11 -0700 (PDT) Received: by 10.216.25.85 with HTTP; Thu, 4 Nov 2010 07:18:11 -0700 (PDT) In-Reply-To: References: Date: Thu, 4 Nov 2010 14:18:11 +0000 Message-ID: From: krad To: "Justin V." Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-questions@freebsd.org Subject: Re: SSHgaurd and PF X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 Nov 2010 14:18:14 -0000 On 2 November 2010 16:34, Justin V. wrote: > Hi, > > Would this be considered bruteforce?? > > This goes on and on: > > > Nov 2 05:42:19 yeaguy pure-ftpd: (?@a214.amber.fastwebserver.de) > [WARNING] Authentication failed for user [Administrator] > Nov 2 05:42:53 yeaguy last message repeated 3 times > Nov 2 05:43:11 yeaguy pure-ftpd: (?@a214.amber.fastwebserver.de) > [WARNING] Authentication failed for user [Administrator] > Nov 2 05:43:31 yeaguy pure-ftpd: (?@a214.amber.fastwebserver.de) [ERROR] > Too many authentication failures > Nov 2 05:43:35 yeaguy pure-ftpd: (?@a214.amber.fastwebserver.de) > [WARNING] Authentication failed for user [Administrator] > Nov 2 05:43:54 yeaguy last message repeated 2 times > Nov 2 05:44:27 yeaguy last message repeated 2 times > Nov 2 05:44:47 yeaguy pure-ftpd: (?@a214.amber.fastwebserver.de) [ERROR] > Too many authentication failures > Nov 2 05:44:53 yeaguy pure-ftpd: (?@a214.amber.fastwebserver.de) > [WARNING] Authentication failed for user [Administrator] > Nov 2 05:45:27 yeaguy last message repeated 3 times > Nov 2 05:45:44 yeaguy pure-ftpd: (?@a214.amber.fastwebserver.de) > [WARNING] Authentication failed for user [Administrator] > Nov 2 05:46:05 yeaguy pure-ftpd: (?@a214.amber.fastwebserver.de) [ERROR] > Too many authentication failures > Nov 2 05:46:12 yeaguy pure-ftpd: (?@a214.amber.fastwebserver.de) > [WARNING] Authentication failed for user [Administrator] > Nov 2 05:46:47 yeaguy last message repeated 3 times > Nov 2 05:47:03 yeaguy pure-ftpd: (?@a214.amber.fastwebserver.de) > [WARNING] Authentication failed for user [Administrator] > Nov 2 05:47:24 yeaguy pure-ftpd: (?@a214.amber.fastwebserver.de) [ERROR] > Too many authentication failures > Nov 2 05:47:31 yeaguy pure-ftpd: (?@a214.amber.fastwebserver.de) > [WARNING] Authentication failed for user [Administrator] > Nov 2 05:48:06 yeaguy last message repeated 3 times > Nov 2 05:48:24 yeaguy pure-ftpd: (?@a214.amber.fastwebserver.de) > [WARNING] Authentication failed for user [Administrator] > Nov 2 05:48:45 yeaguy pure-ftpd: (?@a214.amber.fastwebserver.de) [ERROR] > Too many authentication failures > Nov 2 05:48:50 yeaguy pure-ftpd: (?@a214.amber.fastwebserver.de) > [WARNING] Authentication failed for user [Administrator] > Nov 2 05:49:25 yeaguy last message repeated 3 times > Nov 2 05:49:42 yeaguy pure-ftpd: (?@a214.amber.fastwebserver.de) > [WARNING] Authentication failed for user [Administrator] > Nov 2 05:50:01 yeaguy pure-ftpd: (?@a214.amber.fastwebserver.de) [ERROR] > Too many authentication failures > Nov 2 05:50:08 yeaguy pure-ftpd: (?@a214.amber.fastwebserver.de) > [WARNING] Authentication failed for user [Administrator] > Nov 2 05:50:40 yeaguy last message repeated 3 times > Nov 2 05:50:58 yeaguy pure-ftpd: (?@a214.amber.fastwebserver.de) > [WARNING] Authentication failed for user [Administrator] > Nov 2 05:51:20 yeaguy pure-ftpd: (?@a214.amber.fastwebserver.de) [ERROR] > Too many authentication failures > Nov 2 05:51:25 yeaguy pure-ftpd: (?@a214.amber.fastwebserver.de) > [WARNING] Authentication failed for user [Administrator] > Nov 2 05:51:59 yeaguy last message repeated 3 times > Nov 2 05:52:16 yeaguy pure-ftpd: (?@a214.amber.fastwebserver.de) > [WARNING] Authentication failed for user [Administrator] > > > > My sshgaurd config: > > > > # $FreeBSD: src/share/examples/pf/pf.conf,v 1.1.4.1.4.1 2010/06/14 > 02:09:06 kensmith Exp $ > # $OpenBSD: pf.conf,v 1.34 2007/02/24 19:30:59 millert Exp $ > # > # See pf.conf(5) and /usr/share/examples/pf for syntax and examples. > # Remember to set net.inet.ip.forwarding=1 and/or > net.inet6.ip6.forwarding=1 > # in /etc/sysctl.conf if packets are to be forwarded between interfaces. > > ext_if="wlan0" > #int_if="int0" > > #table persist > table persist > > #set skip on lo > > #scrub in > > #nat-anchor "ftp-proxy/*" > #rdr-anchor "ftp-proxy/*" > #nat on $ext_if from !($ext_if) -> ($ext_if:0) > #rdr pass on $int_if proto tcp to port ftp -> 127.0.0.1 port 8021 > #no rdr on $ext_if proto tcp from to any port smtp > #rdr pass on $ext_if proto tcp from any to any port smtp \ > # -> 127.0.0.1 port spamd > > #anchor "ftp-proxy/*" > #block in > block in log quick on $ext_if from label "bruteforce" > #pass out > > #pass quick on $int_if no state > #antispoof quick for { lo $int_if } > > #pass in on $ext_if proto tcp to ($ext_if) port ssh > #pass in log on $ext_if proto tcp to ($ext_if) port smtp > #pass out log on $ext_if proto tcp from ($ext_if) to port smtp > > > LOGS: > > yeaguy# nslookup a214.amber.fastwebserver.de > Server: 10.1.1.1 > Address: 10.1.1.1#53 > > Non-authoritative answer: > Name: a214.amber.fastwebserver.de > Address: 217.79.189.214 > > yeaguy# tcpdump -n -e -ttt -r /var/log/pflog | grep 217.79.189.214 > reading from file /var/log/pflog, link-type PFLOG (OpenBSD pflog file) > yeaguy# > > > Thanks, > > Justin > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to " > freebsd-questions-unsubscribe@freebsd.org" > even if it is do you really need to leave ssh accessible to the whole world or can you not lock it down with acls, eg explicity block all ssh attempts apart from those in table ssh say?