bruteforceblocker + PF

Daniel Gerzo danger at
Fri Oct 7 04:11:17 PDT 2005

Hello Enrique,

Friday, October 7, 2005, 10:12:34 AM, you has on mind:

> El Osteguna 06 Urria 2005 22:18, Daniel Gerzo escribió:
>> Hi questions, Enrique Ayesta Perojo,
>> <snip because I have accidently lost the thread :-)>
>>    It seems like bruteforceblocker is running, since you can see
>>    messages in your auth.log. this is good. could you please provide
>>    me info, which version of openssh are you using, so I can debug? I
>>    have som reports, that my bruteforceblocker does not work with
>>    older versions of openssh, since it uses little bit different
>>    format of warnings, so my regexps does not apply. Also, please send
>>    here the format of those messages.
>>    Thank you.

> This is the version:

> OpenSSH_3.8.1p1 FreeBSD-20040419, OpenSSL 0.9.7e 25 Oct 2004

> It's a FreeBSD 5.4-p7 box, and here there are some of the messages 
> at /var/log/auth.log:

> Oct  6 18:29:26 fatboy sshd[28472]: Illegal user jack from
> Oct  6 18:29:26 fatboy sshd[28472]: reverse mapping checking getaddrinfo for

> Oct  5 18:53:33 fatboy sshd[20731]: Illegal user pepito from
> Oct  5 18:53:33 fatboy sshd[20731]: Failed unknown for illegal user pepito
> from port 44241 ssh2

yeah, that's what I thought it will be ;-)
OpenSSH <= 3.8 uses little bit different warning messages. You have
two ways how to make your BruteForceBlocker to work with your

1) Update your OpenSSH to 4.2, you can find the port in the
security/openssh-portable (you can use -DOPENSSH_OVERWRITE_BASE
option) Note, that this one I prefer more.

2) Modify the source code of the BruteForceBlocker, so that my regexps
will match your warnings, modify lines 58-60, for example change:

  Failed password.*from ((?:\d{1,3}\.){3}\d{1,3}) port
  Failed unknown for illegal user.*from ((?:\d{1,3}\.){3}\d{1,3}) port


  Invalid user.*from ((?:\d{1,3}\.){3}\d{1,3})
  Illegal user.*from ((?:\d{1,3}\.){3}\d{1,3})

> Thanks again

No problem, you are welcome. Let me know if it works.

  Daniel Gerzo

More information about the freebsd-questions mailing list