From owner-freebsd-pf@FreeBSD.ORG Thu Apr 26 09:00:14 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 23E2516A400 for ; Thu, 26 Apr 2007 09:00:14 +0000 (UTC) (envelope-from chris#@1command.com) Received: from mail.1command.com (mail.1command.com [75.160.109.226]) by mx1.freebsd.org (Postfix) with ESMTP id E100D13C457 for ; Thu, 26 Apr 2007 09:00:13 +0000 (UTC) (envelope-from chris#@1command.com) Received: from mail.1command.com (localhost.1command.com [127.0.0.1]) by mail.1command.com (8.13.3/8.13.3) with ESMTP id l3P8Kv5d025936 for ; Wed, 25 Apr 2007 01:21:06 -0700 (PDT) (envelope-from chris#@1command.com) Received: (from www@localhost) by mail.1command.com (8.13.3/8.13.3/Submit) id l3P8Kvxn025935 for freebsd-pf@freebsd.org; Wed, 25 Apr 2007 01:20:57 -0700 (PDT) (envelope-from chris#@1command.com) Received: from hitme.hitometer.net (hitme.hitometer.net [75.160.109.235]) by webmail.1command.com (H.R. Communications Messaging System) with HTTP; Wed, 25 Apr 2007 01:20:57 -0700 Message-ID: <20070425012057.upvt9rld28kwk8sg@webmail.1command.com> X-Priority: 3 (Normal) Date: Wed, 25 Apr 2007 01:20:57 -0700 From: "Chris H." To: freebsd-pf@freebsd.org References: <00b701c7869a$795c0db0$0200a8c0@satellite> In-Reply-To: <00b701c7869a$795c0db0$0200a8c0@satellite> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format="flowed" Content-Disposition: inline Content-Transfer-Encoding: 7bit User-Agent: H.R. Communications Internet Messaging System (HCIMS) 4.1 Professional (not for redistribution) / FreeBSD-5.5 Subject: Re: preventing ssh brute force attacks, swatch and users and table X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 26 Apr 2007 09:00:14 -0000 Quoting Dave : > Hello, > I've got a machine running ssh and i'm trying to cut down on brute > force attacks on it. I'm running pf on a freebsd 6.2 box and have > added in swatch to try to curve these attacks. The problem is nothing > is being added to either the memory hackers table nor the ondisk copy > of it. I know i'm getting hits because i'm seeing entries in my > auth.log like this: > > Apr 21 06:18:38 zeus sshd[10609]: Did not receive identification > string from 125.33.163.188 > Apr 21 06:22:55 zeus sshd[10658]: User root from 125.33.163.188 not > allowed because none of user's groups are listed in AllowGroups > Apr 21 06:22:55 zeus sshd[10658]: Failed password for invalid user > root from 125.33.163.188 port 54521 ssh2 > Apr 21 06:22:57 zeus sshd[10660]: User root from 125.33.163.188 not > allowed because none of user's groups are listed in AllowGroups > Apr 21 06:22:57 zeus sshd[10660]: Failed password for invalid user > root from 125.33.163.188 port 54727 ssh2 > Apr 24 00:52:08 zeus sshd[7746]: Failed password for invalid user > root from 218.205.231.39 port 61694 ssh2 > Apr 24 00:52:11 zeus sshd[7749]: User root from 218.205.231.39 not > allowed because none of user's groups are listed in AllowGroups > Apr 24 00:52:11 zeus sshd[7749]: Failed password for invalid user > root from 218.205.231.39 port 61773 ssh2 > > I don't want to move my ssh, i feel these bots would just find it > again. I'm also getting postfix atempts i'd like to block them both. > My swatch configuration looks like this: > > rc.conf > swatch_enable="YES" > swatch_rules="1" > swatch_1_flags="--config-file=/usr/local/etc/swatchrc > --tail-file=/var/log/auth.log --daemon --pid-file=/var/run/swatch.pid" > swatch_1_user="root" > swatch_1_chdir="/var/tmp" > swatch_1_pidfile="/var/run/swatch.pid" > > In pf i have a block by default policy and i've got these lines: > table persist file "/etc/hackers" > block all > block in quick on $ext_if from to any > > and /usr/local/etc/swatchrc calls a script that looks like: > #!/bin/sh > /sbin/pfctl -t hackers -T add $1 > /bin/echo $1 >> /etc/hackers > /usr/bin/logger swatch: $1 caught with bad login. Added to hackers pf table > > If there's a better way that i can get both ssh and smtp bots i'd > like to know about it, also if my config is wrong let me know it's > not working. One thing, i do not want to unblock atempted hackings, Greetings, You /may/ want to re-consider this policy. I was plagued with dictionary/ brute force attempts against a couple of my mail servers. Which spurned me into concocting some method to ease the burden and ultimately defeat such attempts. My final solution was a combination of scripts (grep || sed || awk || uniq || sort ) run out of cron. That parse the maillog for patterns that match offenders. It works perfectly (over 7,700 IP's). BUT, you should consider, as I did, that many of the offending IP's are leased (DHCP) and are only owned/used by the perpetrator for a relatively short amount time, and then they become available and used by a now INNOCENT user. Also, there are those who /do/ own/lease the IP's on a longer term basis that have mis-configured boxen which are effectively open proxies that are later corrected. So they too are only guilty by proxy (sorry, I couldn't resist ;)). Anyway, the point I'm attempting to make here; is that you should probably consider developing an EXPIRE policy for the offending/accumulating IP list. That way, you'll be able to DIFF the current against the EXPIRED and gain a more reasonable understanding /which/ IP's are /always/ going to be offenders vs. those whom were just short term (for whatever reason). Just thought I'd mention it. Best wishes. > my feeling is those that do it should have no further interactions > with my machines on any level. > Thanks. > Dave. > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > -- panic: kernel trap (ignored)