bruteforceblocker + PF

Noel Jones noeldude at gmail.com
Wed Oct 5 12:53:04 PDT 2005


On 10/5/05, Enrique Ayesta Perojo <eayesta at portugalete.uned.es> wrote:
> Hello, i'm trying to install the bruteforceblocker script to stop ssh attacks,
> but i'm having a problem with PF because it seems not to block the attacker
> ip.
>
> The machine is connected to internet and has some needed services for the LAN,
> so i want to log and block only outside attacks.
>
> The bruteforceblocker script seems to be working, because i can read the
> initial time of it at /var/log/auth.log, so i think the problem may be at my
> pf configuration.
>
> Any help?
>
> Thanks a lot
>
> ####/etc/pf.conf####
> table <bruteforce> persist file "/var/log/bruteforce"
>
> # options
> set block-policy return
> set loginterface $ext_if
>
> # scrub
> scrub in all
>
> # filter rules
> block all
>
> pass quick on lo0 all
>
> pass in  on bge0 from 10.200.62.0/24 to 10.200.62.17
> pass out on bge0 from 10.200.62.17 to 10.200.62.0/24
>
> block in log quick inet proto tcp from <bruteforce> to any port ssh


I'm going to assume this is just a small part of your pf.conf, because
the part you show doesn't allow any internet access.  Maybe you should
show us your entire pf.conf.

Do your rules display as expected?
# pfctl -s rules

Did you reload pf after you edited pf.conf?
# pfctl -f /etc/pf.conf

Are you testing this from outside the 10.200.x.x network?

In your auth.log do you see bruteforceblocker messages such as:

220.92.126.217 was logged with total count of 1.

when an ssh login fails?
And then after $max_attempts is exceeded you should see:

IP 202.92.126.217 reached the maximum number of failed attempts!!!
Adding IP to the firewall...

--
Noel Jones


More information about the freebsd-questions mailing list