bruteforceblocker + PF
Enrique Ayesta Perojo
eayesta at portugalete.uned.es
Thu Oct 6 00:07:57 PDT 2005
El Miércoles, 5 de Octubre de 2005 21:53, Noel Jones escribió:
> I'm going to assume this is just a small part of your pf.conf, because
> the part you show doesn't allow any internet access. Maybe you should
> show us your entire pf.conf.
Yes, it was a small part of my pf.conf. Anyway i'm trying on another machine
with a much smaller configuration with the same results. I think it should be
enough for bruteforceblocker to work
***/etc/pf.conf***
table <bruteforce> persist file "/var/log/bruteforce"
# options
set block-policy return
set loginterface bge0
# scrub
scrub in all
# filter rules
pass all
block in log quick inet proto tcp from <bruteforce> to any port ssh
> Do your rules display as expected?
> # pfctl -s rules
Yes, they display as expected
No ALTQ support in kernel
ALTQ related functions disabled
scrub in all fragment reassemble
pass all
block return in log quick inet proto tcp from <bruteforce> to any port = ssh
> Did you reload pf after you edited pf.conf?
> # pfctl -f /etc/pf.conf
Yes, i did
> Are you testing this from outside the 10.200.x.x network?
Yes
> In your auth.log do you see bruteforceblocker messages such as:
>
> 220.92.126.217 was logged with total count of 1.
>
> when an ssh login fails?
> And then after $max_attempts is exceeded you should see:
>
> IP 202.92.126.217 reached the maximum number of failed attempts!!!
> Adding IP to the firewall...
No, i don't see any of these messages, the only message i see is the start of
the log:
!!!!!!! log started at Wed Oct 5 18:53:23 2005 !!!!!!!
I cannot figure what's the problem, the bruteforce table remains clean after
the tests, but the bruteforce blocker is running in the system apparently
whithout any problems as i have checked with ps.
Thanks
More information about the freebsd-questions
mailing list