bruteforceblocker + PF
Noel Jones
noeldude at gmail.com
Wed Oct 5 12:53:04 PDT 2005
On 10/5/05, Enrique Ayesta Perojo <eayesta at portugalete.uned.es> wrote:
> Hello, i'm trying to install the bruteforceblocker script to stop ssh attacks,
> but i'm having a problem with PF because it seems not to block the attacker
> ip.
>
> The machine is connected to internet and has some needed services for the LAN,
> so i want to log and block only outside attacks.
>
> The bruteforceblocker script seems to be working, because i can read the
> initial time of it at /var/log/auth.log, so i think the problem may be at my
> pf configuration.
>
> Any help?
>
> Thanks a lot
>
> ####/etc/pf.conf####
> table <bruteforce> persist file "/var/log/bruteforce"
>
> # options
> set block-policy return
> set loginterface $ext_if
>
> # scrub
> scrub in all
>
> # filter rules
> block all
>
> pass quick on lo0 all
>
> pass in on bge0 from 10.200.62.0/24 to 10.200.62.17
> pass out on bge0 from 10.200.62.17 to 10.200.62.0/24
>
> block in log quick inet proto tcp from <bruteforce> to any port ssh
I'm going to assume this is just a small part of your pf.conf, because
the part you show doesn't allow any internet access. Maybe you should
show us your entire pf.conf.
Do your rules display as expected?
# pfctl -s rules
Did you reload pf after you edited pf.conf?
# pfctl -f /etc/pf.conf
Are you testing this from outside the 10.200.x.x network?
In your auth.log do you see bruteforceblocker messages such as:
220.92.126.217 was logged with total count of 1.
when an ssh login fails?
And then after $max_attempts is exceeded you should see:
IP 202.92.126.217 reached the maximum number of failed attempts!!!
Adding IP to the firewall...
--
Noel Jones
More information about the freebsd-questions
mailing list