SSHgaurd and PF

[Rob Farmer]

On Tue, Nov 2, 2010 at 09:34, Justin V. <vic at yeaguy.com> wrote:
> Hi,
>
> Would this be considered bruteforce??

Yes

>
> This goes on and on:
>
>
> Nov  2 05:42:19 yeaguy pure-ftpd: (?@a214.amber.fastwebserver.de) [WARNING]
> Authentication failed for user [Administrator]
> Nov  2 05:42:53 yeaguy last message repeated 3 times
[...]
>
> My sshgaurd config:

Something isn't set up right if you are getting that many attempts -
it should kill them right away:

Nov  1 10:47:51 peridot sshd[77847]: reverse mapping checking
getaddrinfo for 178-238-137-213.hostnoc.eu [178.238.137.213] failed -
POSSIBLE BREAK-IN ATTEMPT!
Nov  1 10:47:53 peridot sshd[77967]: reverse mapping checking
getaddrinfo for 178-238-137-213.hostnoc.eu [178.238.137.213] failed -
POSSIBLE BREAK-IN ATTEMPT!
Nov  1 10:47:54 peridot sshd[78123]: reverse mapping checking
getaddrinfo for 178-238-137-213.hostnoc.eu [178.238.137.213] failed -
POSSIBLE BREAK-IN ATTEMPT!
Nov  1 10:47:56 peridot sshd[78228]: reverse mapping checking
getaddrinfo for 178-238-137-213.hostnoc.eu [178.238.137.213] failed -
POSSIBLE BREAK-IN ATTEMPT!
Nov  1 10:47:56 peridot sshguard[49177]: Blocking 178.238.137.213:4
for >420secs: 4 failures over 5 seconds.

Do you have the syslog.conf part set up as well as the pf part? I've
only used it for ssh but something like the following needs to be
there:

auth.info;authpriv.info                         |exec /usr/local/sbin/sshguard

> yeaguy#  nslookup  a214.amber.fastwebserver.de
> Server:         10.1.1.1
> Address:        10.1.1.1#53
>
> Non-authoritative answer:
> Name:   a214.amber.fastwebserver.de
> Address: 217.79.189.214
>

I wouldn't waste your time trying to find out who they are - just
block and move on. That site is probably a shared web hosting account
that was compromised by a bad php script - even if you successfully
complain (assuming it is a legit hoster that cares) and they do
something about it, there are thousands more.

-- 
Rob Farmer