bruteforceblocker + PF

Enrique Ayesta Perojo eayesta at portugalete.uned.es
Thu Oct 6 00:07:57 PDT 2005


El Miércoles, 5 de Octubre de 2005 21:53, Noel Jones escribió:

> I'm going to assume this is just a small part of your pf.conf, because
> the part you show doesn't allow any internet access.  Maybe you should
> show us your entire pf.conf.

Yes, it was a small part of my pf.conf. Anyway i'm trying on another machine 
with a much smaller configuration with the same results. I think it should be 
enough for bruteforceblocker to work

***/etc/pf.conf***
table <bruteforce> persist file "/var/log/bruteforce"
        
# options
set block-policy return
set loginterface bge0

# scrub
scrub in all

# filter rules
pass all

block in log quick inet proto tcp from <bruteforce> to any port ssh


> Do your rules display as expected?
> # pfctl -s rules

Yes, they display as expected

No ALTQ support in kernel
ALTQ related functions disabled
scrub in all fragment reassemble
pass all
block return in log quick inet proto tcp from <bruteforce> to any port = ssh

> Did you reload pf after you edited pf.conf?
> # pfctl -f /etc/pf.conf

Yes, i did

> Are you testing this from outside the 10.200.x.x network?

Yes

> In your auth.log do you see bruteforceblocker messages such as:
>
> 220.92.126.217 was logged with total count of 1.
>
> when an ssh login fails?
> And then after $max_attempts is exceeded you should see:
>
> IP 202.92.126.217 reached the maximum number of failed attempts!!!
> Adding IP to the firewall...

No, i don't see any of these messages, the only message i see is the start of 
the log:

!!!!!!! log started at Wed Oct  5 18:53:23 2005 !!!!!!!

I cannot figure what's the problem, the bruteforce table remains clean after 
the tests, but the bruteforce blocker is running in the system apparently 
whithout any problems as i have checked with ps.

Thanks


More information about the freebsd-questions mailing list