SSHgaurd and PF

Justin V. vic at yeaguy.com
Tue Nov 2 16:35:13 UTC 2010 

Hi,

Would this be considered bruteforce??

This goes on and on:


Nov  2 05:42:19 yeaguy pure-ftpd: (?@a214.amber.fastwebserver.de) 
[WARNING] Authentication failed for user [Administrator]
Nov  2 05:42:53 yeaguy last message repeated 3 times
Nov  2 05:43:11 yeaguy pure-ftpd: (?@a214.amber.fastwebserver.de) 
[WARNING] Authentication failed for user [Administrator]
Nov  2 05:43:31 yeaguy pure-ftpd: (?@a214.amber.fastwebserver.de) [ERROR] 
Too many authentication failures
Nov  2 05:43:35 yeaguy pure-ftpd: (?@a214.amber.fastwebserver.de) 
[WARNING] Authentication failed for user [Administrator]
Nov  2 05:43:54 yeaguy last message repeated 2 times
Nov  2 05:44:27 yeaguy last message repeated 2 times
Nov  2 05:44:47 yeaguy pure-ftpd: (?@a214.amber.fastwebserver.de) [ERROR] 
Too many authentication failures
Nov  2 05:44:53 yeaguy pure-ftpd: (?@a214.amber.fastwebserver.de) 
[WARNING] Authentication failed for user [Administrator]
Nov  2 05:45:27 yeaguy last message repeated 3 times
Nov  2 05:45:44 yeaguy pure-ftpd: (?@a214.amber.fastwebserver.de) 
[WARNING] Authentication failed for user [Administrator]
Nov  2 05:46:05 yeaguy pure-ftpd: (?@a214.amber.fastwebserver.de) [ERROR] 
Too many authentication failures
Nov  2 05:46:12 yeaguy pure-ftpd: (?@a214.amber.fastwebserver.de) 
[WARNING] Authentication failed for user [Administrator]
Nov  2 05:46:47 yeaguy last message repeated 3 times
Nov  2 05:47:03 yeaguy pure-ftpd: (?@a214.amber.fastwebserver.de) 
[WARNING] Authentication failed for user [Administrator]
Nov  2 05:47:24 yeaguy pure-ftpd: (?@a214.amber.fastwebserver.de) [ERROR] 
Too many authentication failures
Nov  2 05:47:31 yeaguy pure-ftpd: (?@a214.amber.fastwebserver.de) 
[WARNING] Authentication failed for user [Administrator]
Nov  2 05:48:06 yeaguy last message repeated 3 times
Nov  2 05:48:24 yeaguy pure-ftpd: (?@a214.amber.fastwebserver.de) 
[WARNING] Authentication failed for user [Administrator]
Nov  2 05:48:45 yeaguy pure-ftpd: (?@a214.amber.fastwebserver.de) [ERROR] 
Too many authentication failures
Nov  2 05:48:50 yeaguy pure-ftpd: (?@a214.amber.fastwebserver.de) 
[WARNING] Authentication failed for user [Administrator]
Nov  2 05:49:25 yeaguy last message repeated 3 times
Nov  2 05:49:42 yeaguy pure-ftpd: (?@a214.amber.fastwebserver.de) 
[WARNING] Authentication failed for user [Administrator]
Nov  2 05:50:01 yeaguy pure-ftpd: (?@a214.amber.fastwebserver.de) [ERROR] 
Too many authentication failures
Nov  2 05:50:08 yeaguy pure-ftpd: (?@a214.amber.fastwebserver.de) 
[WARNING] Authentication failed for user [Administrator]
Nov  2 05:50:40 yeaguy last message repeated 3 times
Nov  2 05:50:58 yeaguy pure-ftpd: (?@a214.amber.fastwebserver.de) 
[WARNING] Authentication failed for user [Administrator]
Nov  2 05:51:20 yeaguy pure-ftpd: (?@a214.amber.fastwebserver.de) [ERROR] 
Too many authentication failures
Nov  2 05:51:25 yeaguy pure-ftpd: (?@a214.amber.fastwebserver.de) 
[WARNING] Authentication failed for user [Administrator]
Nov  2 05:51:59 yeaguy last message repeated 3 times
Nov  2 05:52:16 yeaguy pure-ftpd: (?@a214.amber.fastwebserver.de) 
[WARNING] Authentication failed for user [Administrator]



My sshgaurd config:



#       $FreeBSD: src/share/examples/pf/pf.conf,v 1.1.4.1.4.1 2010/06/14 
02:09:06 kensmith Exp $
#       $OpenBSD: pf.conf,v 1.34 2007/02/24 19:30:59 millert Exp $
#
# See pf.conf(5) and /usr/share/examples/pf for syntax and examples.
# Remember to set net.inet.ip.forwarding=1 and/or 
net.inet6.ip6.forwarding=1
# in /etc/sysctl.conf if packets are to be forwarded between interfaces.

ext_if="wlan0"
#int_if="int0"

#table <spamd-white> persist
table <sshguard> persist

#set skip on lo

#scrub in

#nat-anchor "ftp-proxy/*"
#rdr-anchor "ftp-proxy/*"
#nat on $ext_if from !($ext_if) -> ($ext_if:0)
#rdr pass on $int_if proto tcp to port ftp -> 127.0.0.1 port 8021
#no rdr on $ext_if proto tcp from <spamd-white> to any port smtp
#rdr pass on $ext_if proto tcp from any to any port smtp \
#       -> 127.0.0.1 port spamd

#anchor "ftp-proxy/*"
#block in
block in log quick on $ext_if from <sshguard> label "bruteforce"
#pass out

#pass quick on $int_if no state
#antispoof quick for { lo $int_if }

#pass in on $ext_if proto tcp to ($ext_if) port ssh
#pass in log on $ext_if proto tcp to ($ext_if) port smtp
#pass out log on $ext_if proto tcp from ($ext_if) to port smtp


LOGS:

yeaguy#  nslookup  a214.amber.fastwebserver.de
Server:         10.1.1.1
Address:        10.1.1.1#53

Non-authoritative answer:
Name:   a214.amber.fastwebserver.de
Address: 217.79.189.214

yeaguy# tcpdump -n -e -ttt -r /var/log/pflog | grep 217.79.189.214
reading from file /var/log/pflog, link-type PFLOG (OpenBSD pflog file)
yeaguy#


Thanks,

Justin

More information about the freebsd-questions mailing list