Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 4 Nov 2014 12:02:02 +0100
From:      Hasse Hansson <hasse@thorshammare.org>
To:        Fbsd8 <fbsd8@a1poweruser.com>
Cc:        freebsd-questions@freebsd.org
Subject:   Re: sshguard pf
Message-ID:  <20141104110202.GA37003@ymer.thorshammare.org>
In-Reply-To: <54581F0E.4080404@a1poweruser.com>
References:  <20141102154444.GA42429@ymer.thorshammare.org> <54581F0E.4080404@a1poweruser.com>
next in thread | previous in thread | raw e-mail | index | archive | help 

--Kj7319i9nmIyA2yE
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Tue, Nov 04, 2014 at 08:34:22AM +0800, Fbsd8 wrote:
> Hasse Hansson wrote:
> > Hello
> >=20
> > uname -a
> > FreeBSD ymer.thorshammare.org 10.1-RC3 FreeBSD 10.1-RC3 #0 r273437: Wed=
 Oct 22 01:27:10 UTC 2014=20
> > root@releng1.nyi.freebsd.org:/usr/obj/usr/src/sys/GENERIC  i386
> >=20
> > I have a bit problems to get some bots blocked. I'm running pf and sshg=
uard. Even tried fail2ban
> > Below is a snippet from my auth.log showing sshguard blocking som IPs, =
but nor the bot scans.
> > Both tables abusers and sshguard are empty and allways was.
> > This junk is filling up my logfiles.=20
> > Any clues what I'm doing wrong or missing ?=20
> >=20
> > I'm running two crontabs :
> > # Sshguard
> > 0/1     *       *       *       *       root pfctl -t sshguard -T show =
>/etc/sshguard 2>/dev/null
> > #
> > # Bruteforce ssh
> > 0/2     *       *       *       *       root pfctl -t abusers -T show >=
/etc/abusers 2>/dev/null
> >=20
> >=20
> > In /etc/ssh/sshd_config I've uncommented :
> > Port 22
> > AddressFamily any
> > Protocol 2
> > SyslogFacility AUTH
> > LogLevel INFO
> >=20
> > # Authentication:
> >=20
> > LoginGraceTime 1m
> > PermitRootLogin no
> > StrictModes yes
> > MaxAuthTries 5
> > MaxSessions 10
> >=20
> > PasswordAuthentication no
> > PermitEmptyPasswords no
> > ChallengeResponseAuthentication no
> >=20
> > MaxStartups 10:30:100
> >=20
> > In my /etc/rc.conf I have :
> > pf_enable=3D"YES"
> > pflog_enable=3D"YES"
> > pflog_logfile=3D"/var/log/pflog"
> > sshguard_enable=3D"YES"
> > sshguard_safety_thresh=3D"30"
> > sshguard_pardon_min_interval=3D"600"
> > sshguard_prescribe_interval=3D"7200"
> >=20
> > In /etc/pf.conf :
> > ext_if=3D"fxp0"
> > int_if=3D"xl0"
> > webports=3D"{ http, https }"
> >=20
> > table <abusers> counters persist
> > table <sshguard> persist
> >=20
> > set skip on lo
> > scrub in
> >=20
> > block in
> > pass out
> >=20
> > block quick from <abusers> to any
> > block drop in log quick on $ext_if inet from <sshguard> to any
> >=20
> > pass in on $ext_if proto tcp to any port ssh flags S/SA keep state (max=
-src-conn 10, max-src-conn-rate 2/120, overload <abusers> flush)
> >=20
> > antispoof quick for { lo $ext_if $int_if }
> >=20
> > pass in on $ext_if proto tcp to ($ext_if) port ssh
> > pass in log on $ext_if proto tcp to ($ext_if) port smtp
> > pass out log on $ext_if proto tcp from ($ext_if) to port smtp
> > pass in log on $ext_if proto tcp to ($ext_if) port $webports
> > pass out log on $ext_if proto tcp from ($ext_if) to port $webports
> >=20
> > pass in on $ext_if inet proto icmp from any to ($ext_if) icmp-type { un=
reach, redir, timex }
> >=20
> > <snip>
> > Nov  2 07:51:13 ymer sshguard[19225]: Blocking 103.27.24.106:4 for >900=
secs: 30 danger in 3 attacks over 18 seconds (all: 30d in 1 abuses over 18s=
).
> > Nov  2 10:35:35 ymer sshguard[19225]: Blocking 60.190.71.52:4 for >900s=
ecs: 30 danger in 3 attacks over 8 seconds (all: 30d in 1 abuses over 8s).
> > Nov  2 11:09:50 ymer sshguard[19225]: Blocking 122.225.97.105:4 for >90=
0secs: 30 danger in 3 attacks over 65 seconds (all: 30d in 1 abuses over 65=
s).
> > Nov  2 13:10:52 ymer sshguard[19225]: Blocking 50.30.32.19:4 for >900se=
cs: 30 danger in 3 attacks over 4 seconds (all: 30d in 1 abuses over 4s).
> > Nov  2 14:34:55 ymer sshguard[19225]: Blocking 61.174.51.212:4 for >900=
secs: 30 danger in 3 attacks over 69 seconds (all: 30d in 1 abuses over 69s=
).
> >=20
> > Nov  2 16:32:09 ymer sshd[42957]: Connection from 202.109.143.110 port =
3453 on 192.168.1.2 port 22
> > Nov  2 16:32:13 ymer sshd[42957]: Disconnecting: Too many authenticatio=
n failures for root [preauth]
> > Nov  2 16:32:14 ymer sshd[42959]: Connection from 202.109.143.110 port =
2838 on 192.168.1.2 port 22
> > Nov  2 16:32:17 ymer sshd[42959]: Disconnecting: Too many authenticatio=
n failures for root [preauth]
> > Nov  2 16:32:21 ymer sshd[42961]: Connection from 202.109.143.110 port =
3611 on 192.168.1.2 port 22
> > Nov  2 16:32:34 ymer sshd[42961]: Disconnecting: Too many authenticatio=
n failures for root [preauth]
> > Nov  2 16:32:41 ymer sshd[42963]: Connection from 202.109.143.110 port =
2507 on 192.168.1.2 port 22
> > Nov  2 16:32:48 ymer sshd[42963]: Disconnecting: Too many authenticatio=
n failures for root [preauth]
> > Nov  2 16:32:49 ymer sshd[42965]: Connection from 202.109.143.110 port =
4650 on 192.168.1.2 port 22
> > Nov  2 16:32:52 ymer sshd[42965]: Disconnecting: Too many authenticatio=
n failures for root [preauth]
> > Nov  2 16:32:52 ymer sshd[42967]: Connection from 202.109.143.110 port =
4650 on 192.168.1.2 port 22
> > Nov  2 16:33:01 ymer sshd[42967]: Disconnecting: Too many authenticatio=
n failures for root [preauth]
> > Nov  2 16:33:02 ymer sshd[42983]: Connection from 202.109.143.110 port =
4316 on 192.168.1.2 port 22
> > Nov  2 16:33:12 ymer sshd[42983]: Disconnecting: Too many authenticatio=
n failures for root [preauth]
> > Nov  2 16:33:18 ymer sshd[42985]: Connection from 202.109.143.110 port =
2539 on 192.168.1.2 port 22
> > Nov  2 16:33:27 ymer sshd[42985]: Disconnecting: Too many authenticatio=
n failures for root [preauth]
> > Nov  2 16:33:28 ymer sshd[42987]: Connection from 202.109.143.110 port =
4555 on 192.168.1.2 port 22
> > Nov  2 16:33:35 ymer sshd[42987]: Disconnecting: Too many authenticatio=
n failures for root [preauth]
> > Nov  2 16:33:38 ymer sshd[42989]: Connection from 202.109.143.110 port =
3164 on 192.168.1.2 port 22
> > Nov  2 16:33:43 ymer sshd[42989]: Disconnecting: Too many authenticatio=
n failures for root [preauth]
> > Nov  2 16:33:43 ymer sshd[42991]: Connection from 202.109.143.110 port =
4749 on 192.168.1.2 port 22
> > Nov  2 16:33:52 ymer sshd[42991]: fatal: Read from socket failed: Conne=
ction reset by peer [preauth]
> > </snip>
> >=20
> > Best Regards
> > Hasse.
>=20
> You are being attacked by script kiddies and bots, they scan a whole ip=
=20
> address range looking for open port 22 and when its found they start=20
> their login attack. Changing ssh to use some other port number will stop=
=20
> this attack all together. I changed ssh to use port '4422' 25 years ago=
=20
> and no attacks since. Another way is to use the port named 'knock' to=20
> temporary open port 22 if proceeded by knock
>=20
Thank you Fbsd8 for your answer.
I'm aware of changing port for ssh, but I see it as a little bit of "giving=
up"
Gotta be some rather easy way of just blocking those attacks. Other than bl=
ocking
whole of CN and half of Asia. I've tried that too. It stopped the attacks a=
nd gave
me some room to think it over.

But I still wonder why sshguard or pf don't block those attacks.
shguard does it job on other probes, but not the root logins. PF doesn't se=
em
to do much at all.
Probably my settings somewhere, but I can't figure out where.
A wild guess from my side is that sshguard are using hosts.allow instead of=
 pf.
Well, it doesn't do much harm other than cluttering up my logfiles anyway.
I'll se if I have better luck with Ossec-hids.
/hasse

PS.
Checked up on my installation of sshguard. Appearingly I missed the switch =
pf.
It's now properly installed showing up as "sshguard-pf-1.5_6"

and immediately got a chance to test it. It's working.

root@ymer:/var/log # pfctl -t sshguard -T show
No ALTQ support in kernel
ALTQ related functions disabled
   61.174.51.208

--Kj7319i9nmIyA2yE
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBAgAGBQJUWLIqAAoJELatlRZF6goTLn0H/0JMZyH76HccN81Xt/Lq44Yq
wKsWsMV9hNWWSNvykDzg8l59FnJ1fjeB1uuyuIbOUSoAsPpN1qPzqZsLKwnGrjzZ
BSufbJ9abdp7jpWxyJ7V91yevlRwGHH/AIYJM8RaO9ZiY1cWNOfMOHCFsalovoou
GD+FYQzfMNT042fkA7a/1UlcvuQQZborHCTyXIvW3yGRs94KNX5Maj7rrDanRZUP
FxPgccl7NVyAL9NQhtQ9il20mSoEoFWeCpRjLtYXOzUcTTp1YxriA+xcFrtLjRhD
hukpjdr81HFf4H3bFfgneAhvBr6dClLGv3f6+ykc+ZpDj7k9/Ysth8P9ZsdZqa4=
=W6df
-----END PGP SIGNATURE-----

--Kj7319i9nmIyA2yE--

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20141104110202.GA37003>