Date: Fri, 7 Oct 2005 13:08:33 +0200 From: Daniel Gerzo <danger@rulez.sk> To: Enrique Ayesta Perojo <eayesta@portugalete.uned.es> Cc: questions@freebsd.org Subject: Re[2]: bruteforceblocker + PF Message-ID: <1278385121.20051007130833@rulez.sk> In-Reply-To: <200510071012.38464.eayesta@portugalete.uned.es> References: <867109688.20051006221846@rulez.sk> <200510071012.38464.eayesta@portugalete.uned.es>
next in thread | previous in thread | raw e-mail | index | archive | help
Hello Enrique,
Friday, October 7, 2005, 10:12:34 AM, you has on mind:
> El Osteguna 06 Urria 2005 22:18, Daniel Gerzo escribió:
>> Hi questions, Enrique Ayesta Perojo,
>>
>> <snip because I have accidently lost the thread :-)>
>>
>> It seems like bruteforceblocker is running, since you can see
>> messages in your auth.log. this is good. could you please provide
>> me info, which version of openssh are you using, so I can debug? I
>> have som reports, that my bruteforceblocker does not work with
>> older versions of openssh, since it uses little bit different
>> format of warnings, so my regexps does not apply. Also, please send
>> here the format of those messages.
>>
>> Thank you.
> This is the version:
> OpenSSH_3.8.1p1 FreeBSD-20040419, OpenSSL 0.9.7e 25 Oct 2004
> It's a FreeBSD 5.4-p7 box, and here there are some of the messages
> at /var/log/auth.log:
> Oct 6 18:29:26 fatboy sshd[28472]: Illegal user jack from 63.67.26.114
> Oct 6 18:29:26 fatboy sshd[28472]: reverse mapping checking getaddrinfo for
> host114.nokia-boston.com failed - POSSIBLE BREAKIN ATTEMPT!
> Oct 5 18:53:33 fatboy sshd[20731]: Illegal user pepito from 10.200.62.201
> Oct 5 18:53:33 fatboy sshd[20731]: Failed unknown for illegal user pepito
> from 10.200.62.201 port 44241 ssh2
yeah, that's what I thought it will be ;-)
OpenSSH <= 3.8 uses little bit different warning messages. You have
two ways how to make your BruteForceBlocker to work with your
instllation.
1) Update your OpenSSH to 4.2, you can find the port in the
security/openssh-portable (you can use -DOPENSSH_OVERWRITE_BASE
option) Note, that this one I prefer more.
2) Modify the source code of the BruteForceBlocker, so that my regexps
will match your warnings, modify lines 58-60, for example change:
Failed password.*from ((?:\d{1,3}\.){3}\d{1,3}) port
to
Failed unknown for illegal user.*from ((?:\d{1,3}\.){3}\d{1,3}) port
or
Invalid user.*from ((?:\d{1,3}\.){3}\d{1,3})
to
Illegal user.*from ((?:\d{1,3}\.){3}\d{1,3})
> Thanks again
No problem, you are welcome. Let me know if it works.
--
Sincerely,
Daniel Gerzo
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1278385121.20051007130833>