bruteforceblocker + PF
Enrique Ayesta Perojo
eayesta at portugalete.uned.es
Thu Oct 6 00:07:57 PDT 2005
El Miércoles, 5 de Octubre de 2005 21:53, Noel Jones escribió:
> I'm going to assume this is just a small part of your pf.conf, because
> the part you show doesn't allow any internet access. Maybe you should
> show us your entire pf.conf.
Yes, it was a small part of my pf.conf. Anyway i'm trying on another machine
with a much smaller configuration with the same results. I think it should be
enough for bruteforceblocker to work
table <bruteforce> persist file "/var/log/bruteforce"
set block-policy return
set loginterface bge0
scrub in all
# filter rules
block in log quick inet proto tcp from <bruteforce> to any port ssh
> Do your rules display as expected?
> # pfctl -s rules
Yes, they display as expected
No ALTQ support in kernel
ALTQ related functions disabled
scrub in all fragment reassemble
block return in log quick inet proto tcp from <bruteforce> to any port = ssh
> Did you reload pf after you edited pf.conf?
> # pfctl -f /etc/pf.conf
Yes, i did
> Are you testing this from outside the 10.200.x.x network?
> In your auth.log do you see bruteforceblocker messages such as:
> 126.96.36.199 was logged with total count of 1.
> when an ssh login fails?
> And then after $max_attempts is exceeded you should see:
> IP 188.8.131.52 reached the maximum number of failed attempts!!!
> Adding IP to the firewall...
No, i don't see any of these messages, the only message i see is the start of
!!!!!!! log started at Wed Oct 5 18:53:23 2005 !!!!!!!
I cannot figure what's the problem, the bruteforce table remains clean after
the tests, but the bruteforce blocker is running in the system apparently
whithout any problems as i have checked with ps.
More information about the freebsd-questions