bruteforceblocker + PF

Daniel Gerzo danger at rulez.sk
Fri Oct 7 04:11:17 PDT 2005


Hello Enrique,

Friday, October 7, 2005, 10:12:34 AM, you has on mind:

> El Osteguna 06 Urria 2005 22:18, Daniel Gerzo escribió:
>> Hi questions, Enrique Ayesta Perojo,
>>
>> <snip because I have accidently lost the thread :-)>
>>
>>    It seems like bruteforceblocker is running, since you can see
>>    messages in your auth.log. this is good. could you please provide
>>    me info, which version of openssh are you using, so I can debug? I
>>    have som reports, that my bruteforceblocker does not work with
>>    older versions of openssh, since it uses little bit different
>>    format of warnings, so my regexps does not apply. Also, please send
>>    here the format of those messages.
>>
>>    Thank you.

> This is the version:

> OpenSSH_3.8.1p1 FreeBSD-20040419, OpenSSL 0.9.7e 25 Oct 2004

> It's a FreeBSD 5.4-p7 box, and here there are some of the messages 
> at /var/log/auth.log:

> Oct  6 18:29:26 fatboy sshd[28472]: Illegal user jack from 63.67.26.114
> Oct  6 18:29:26 fatboy sshd[28472]: reverse mapping checking getaddrinfo for
> host114.nokia-boston.com failed - POSSIBLE BREAKIN ATTEMPT!

> Oct  5 18:53:33 fatboy sshd[20731]: Illegal user pepito from 10.200.62.201
> Oct  5 18:53:33 fatboy sshd[20731]: Failed unknown for illegal user pepito
> from 10.200.62.201 port 44241 ssh2

yeah, that's what I thought it will be ;-)
OpenSSH <= 3.8 uses little bit different warning messages. You have
two ways how to make your BruteForceBlocker to work with your
instllation.

1) Update your OpenSSH to 4.2, you can find the port in the
security/openssh-portable (you can use -DOPENSSH_OVERWRITE_BASE
option) Note, that this one I prefer more.

2) Modify the source code of the BruteForceBlocker, so that my regexps
will match your warnings, modify lines 58-60, for example change:

  Failed password.*from ((?:\d{1,3}\.){3}\d{1,3}) port
to
  Failed unknown for illegal user.*from ((?:\d{1,3}\.){3}\d{1,3}) port

or

  Invalid user.*from ((?:\d{1,3}\.){3}\d{1,3})
to
  Illegal user.*from ((?:\d{1,3}\.){3}\d{1,3})

> Thanks again

No problem, you are welcome. Let me know if it works.

-- 
Sincerely,
  Daniel Gerzo



More information about the freebsd-questions mailing list