bruteforce not restarting pf?

Dave dmehler26 at woh.rr.com
Tue Nov 8 18:26:27 GMT 2005 

Hi,
    Thanks for your reply. I checked out the site and my configuration is 
good. The information bruteforce needs is being collected by syslog and 
placed in the table, when this table is updated pf doesn't update it's copy 
of it.
Dave.

----- Original Message ----- 
From: "Gerard Seibert" <gerard at seibercom.net>
To: <freebsd-questions at freebsd.org>
Sent: Tuesday, November 08, 2005 12:40 PM
Subject: Re: bruteforce not restarting pf?


> On Tuesday, November 08, 2005 12:02:02 PM, "Dave" <dmehler26 at woh.rr.com>
> Subject: bruteforce not restarting pf?
> Wrote these words of wisdom:
>
>> Hello,
>>     I've got a machine running 5.4, offering ssh services and running
>> bruteforce. In my daily security log emails i am seeing entries like:
>>
>> Nov  7 07:06:55 zeus sshd[24747]: Failed password for illegal user miha 
>> from
>> 163.13.111.172 port 56265 ssh2
>> Nov  7 07:06:58 zeus sshd[24749]: Failed password for illegal user miha 
>> from
>> 163.13.111.172 port 56319 ssh2
>> Nov  7 07:07:01 zeus sshd[24751]: Failed password for root from
>> 163.13.111.172 port 56376 ssh2
>> Nov  7 07:07:03 zeus sshd[24753]: Failed password for root from
>> 163.13.111.172 port 56418 ssh2
>> Nov  7 07:07:05 zeus sshd[24757]: Failed password for illegal user simon
>> from 163.13.111.172 port 56461 ssh2
>> Nov  7 07:07:08 zeus sshd[24759]: Failed password for illegal user simon
>> from 163.13.111.172 port 56504 ssh2
>> Nov  7 07:07:10 zeus sshd[24761]: Failed password for root from
>> 163.13.111.172 port 56543 ssh2
>> Nov  7 07:07:12 zeus sshd[24763]: Failed password for root from
>> 163.13.111.172 port 56589
>> ...
>>
>> I know these are automated atempts at entry but i thought bruteforce was
>> suppose to stop these. In my auth.log i do see the IP being added, but
>> connections are still allowed. Here's the snipet:
>>
>> Nov  7 06:54:52 zeus sshd[24687]: fatal: Timeout before authentication 
>> for
>> 163.13.111.172
>> Nov  7 07:06:55 zeus sshd[24747]: Illegal user miha from 163.13.111.172
>> Nov  7 07:06:55 zeus sshd[24747]: Failed password for illegal user miha 
>> from
>> 163.13.111.172 port 56265 ssh2
>> 163.13.111.172 was logged with total count of 1.
>> Nov  7 07:06:58 zeus sshd[24749]: Illegal user miha from 163.13.111.172
>> Nov  7 07:06:58 zeus sshd[24749]: Failed password for illegal user miha 
>> from
>> 163.13.111.172 port 56319 ssh2
>> 163.13.111.172 was logged with total count of 2.
>> Nov  7 07:07:01 zeus sshd[24751]: Failed password for root from
>> 163.13.111.172 port 56376 ssh2
>> 163.13.111.172 was logged with total count of 3.
>> Nov  7 07:07:03 zeus sshd[24753]: Failed password for root from
>> 163.13.111.172 port 56418 ssh2
>> IP 163.13.111.172 reached the maximum number of failed attempts!!!
>> Adding IP to the firewall...
>> Nov  7 07:07:05 zeus sshd[24757]: Illegal user simon from 163.13.111.172
>> Nov  7 07:07:05 zeus sshd[24757]: Failed password for illegal user simon
>> from 163.13.111.172 port 56461 ssh2
>> Nov  7 07:07:08 zeus sshd[24759]: Illegal user simon from 163.13.111.172
>> Nov  7 07:07:08 zeus sshd[24759]: Failed password for illegal user simon
>> from 163.13.111.172 port 56504 ssh2
>> Nov  7 07:07:10 zeus sshd[24761]: Failed password for root from
>> 163.13.111.172 port 56543 ssh2
>>
>> Checking my bruteforce table ;i see 163.13.111.172/32 in it, so it was
>> added, but i don't get why future connections were permitted unless pf 
>> was
>> not restarted or informed about the updated table. In my pf.conf file i
>> have:
>>
>> table <bruteforce> persist file "/etc/bruteforce"
>> set block-policy drop
>> block in log quick on $ext_if inet proto tcp from <bruteforce> to any 
>> port
>> ssh
>>
>> Any help appreciated.
>> Thanks.
>> Dave.
>>
>
> ***** REPLY SEPARATOR *****
> On 10/11/2005 5:29:42 PM, Gerard Replied:
>
> You might want to check out this URL:
>
> http://danger.rulez.sk/projects/bruteforceblocker/
>
> Perhaps you might be able to glom something of value there.
>
> -- 
> Gerard Seibert
> gerard at seibercom.net
>
>
> A: Because it reverses the natural flow of a dialog.
> Q: Why is top posting undesirable when replying?
>
> TOPIC: Posting Etiquette
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to 
> "freebsd-questions-unsubscribe at freebsd.org"

More information about the freebsd-questions mailing list