Date: Sun, 2 Nov 2014 16:44:44 +0100 From: Hasse Hansson <hasse@thorshammare.org> To: freebsd-questions@freebsd.org Subject: sshguard pf Message-ID: <20141102154444.GA42429@ymer.thorshammare.org>
next in thread | raw e-mail | index | archive | help
--YiEDa0DAkWCtVeE4
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
Hello
uname -a
FreeBSD ymer.thorshammare.org 10.1-RC3 FreeBSD 10.1-RC3 #0 r273437: Wed Oct=
22 01:27:10 UTC 2014=20
root@releng1.nyi.freebsd.org:/usr/obj/usr/src/sys/GENERIC i386
I have a bit problems to get some bots blocked. I'm running pf and sshguard=
=2E Even tried fail2ban
Below is a snippet from my auth.log showing sshguard blocking som IPs, but =
nor the bot scans.
Both tables abusers and sshguard are empty and allways was.
This junk is filling up my logfiles.=20
Any clues what I'm doing wrong or missing ?=20
I'm running two crontabs :
# Sshguard
0/1 * * * * root pfctl -t sshguard -T show >/et=
c/sshguard 2>/dev/null
#
# Bruteforce ssh
0/2 * * * * root pfctl -t abusers -T show >/etc=
/abusers 2>/dev/null
In /etc/ssh/sshd_config I've uncommented :
Port 22
AddressFamily any
Protocol 2
SyslogFacility AUTH
LogLevel INFO
# Authentication:
LoginGraceTime 1m
PermitRootLogin no
StrictModes yes
MaxAuthTries 5
MaxSessions 10
PasswordAuthentication no
PermitEmptyPasswords no
ChallengeResponseAuthentication no
MaxStartups 10:30:100
In my /etc/rc.conf I have :
pf_enable=3D"YES"
pflog_enable=3D"YES"
pflog_logfile=3D"/var/log/pflog"
sshguard_enable=3D"YES"
sshguard_safety_thresh=3D"30"
sshguard_pardon_min_interval=3D"600"
sshguard_prescribe_interval=3D"7200"
In /etc/pf.conf :
ext_if=3D"fxp0"
int_if=3D"xl0"
webports=3D"{ http, https }"
table <abusers> counters persist
table <sshguard> persist
set skip on lo
scrub in
block in
pass out
block quick from <abusers> to any
block drop in log quick on $ext_if inet from <sshguard> to any
pass in on $ext_if proto tcp to any port ssh flags S/SA keep state (max-src=
-conn 10, max-src-conn-rate 2/120, overload <abusers> flush)
antispoof quick for { lo $ext_if $int_if }
pass in on $ext_if proto tcp to ($ext_if) port ssh
pass in log on $ext_if proto tcp to ($ext_if) port smtp
pass out log on $ext_if proto tcp from ($ext_if) to port smtp
pass in log on $ext_if proto tcp to ($ext_if) port $webports
pass out log on $ext_if proto tcp from ($ext_if) to port $webports
pass in on $ext_if inet proto icmp from any to ($ext_if) icmp-type { unreac=
h, redir, timex }
<snip>
Nov 2 07:51:13 ymer sshguard[19225]: Blocking 103.27.24.106:4 for >900secs=
: 30 danger in 3 attacks over 18 seconds (all: 30d in 1 abuses over 18s).
Nov 2 10:35:35 ymer sshguard[19225]: Blocking 60.190.71.52:4 for >900secs:=
30 danger in 3 attacks over 8 seconds (all: 30d in 1 abuses over 8s).
Nov 2 11:09:50 ymer sshguard[19225]: Blocking 122.225.97.105:4 for >900sec=
s: 30 danger in 3 attacks over 65 seconds (all: 30d in 1 abuses over 65s).
Nov 2 13:10:52 ymer sshguard[19225]: Blocking 50.30.32.19:4 for >900secs: =
30 danger in 3 attacks over 4 seconds (all: 30d in 1 abuses over 4s).
Nov 2 14:34:55 ymer sshguard[19225]: Blocking 61.174.51.212:4 for >900secs=
: 30 danger in 3 attacks over 69 seconds (all: 30d in 1 abuses over 69s).
Nov 2 16:32:09 ymer sshd[42957]: Connection from 202.109.143.110 port 3453=
on 192.168.1.2 port 22
Nov 2 16:32:13 ymer sshd[42957]: Disconnecting: Too many authentication fa=
ilures for root [preauth]
Nov 2 16:32:14 ymer sshd[42959]: Connection from 202.109.143.110 port 2838=
on 192.168.1.2 port 22
Nov 2 16:32:17 ymer sshd[42959]: Disconnecting: Too many authentication fa=
ilures for root [preauth]
Nov 2 16:32:21 ymer sshd[42961]: Connection from 202.109.143.110 port 3611=
on 192.168.1.2 port 22
Nov 2 16:32:34 ymer sshd[42961]: Disconnecting: Too many authentication fa=
ilures for root [preauth]
Nov 2 16:32:41 ymer sshd[42963]: Connection from 202.109.143.110 port 2507=
on 192.168.1.2 port 22
Nov 2 16:32:48 ymer sshd[42963]: Disconnecting: Too many authentication fa=
ilures for root [preauth]
Nov 2 16:32:49 ymer sshd[42965]: Connection from 202.109.143.110 port 4650=
on 192.168.1.2 port 22
Nov 2 16:32:52 ymer sshd[42965]: Disconnecting: Too many authentication fa=
ilures for root [preauth]
Nov 2 16:32:52 ymer sshd[42967]: Connection from 202.109.143.110 port 4650=
on 192.168.1.2 port 22
Nov 2 16:33:01 ymer sshd[42967]: Disconnecting: Too many authentication fa=
ilures for root [preauth]
Nov 2 16:33:02 ymer sshd[42983]: Connection from 202.109.143.110 port 4316=
on 192.168.1.2 port 22
Nov 2 16:33:12 ymer sshd[42983]: Disconnecting: Too many authentication fa=
ilures for root [preauth]
Nov 2 16:33:18 ymer sshd[42985]: Connection from 202.109.143.110 port 2539=
on 192.168.1.2 port 22
Nov 2 16:33:27 ymer sshd[42985]: Disconnecting: Too many authentication fa=
ilures for root [preauth]
Nov 2 16:33:28 ymer sshd[42987]: Connection from 202.109.143.110 port 4555=
on 192.168.1.2 port 22
Nov 2 16:33:35 ymer sshd[42987]: Disconnecting: Too many authentication fa=
ilures for root [preauth]
Nov 2 16:33:38 ymer sshd[42989]: Connection from 202.109.143.110 port 3164=
on 192.168.1.2 port 22
Nov 2 16:33:43 ymer sshd[42989]: Disconnecting: Too many authentication fa=
ilures for root [preauth]
Nov 2 16:33:43 ymer sshd[42991]: Connection from 202.109.143.110 port 4749=
on 192.168.1.2 port 22
Nov 2 16:33:52 ymer sshd[42991]: fatal: Read from socket failed: Connectio=
n reset by peer [preauth]
</snip>
Best Regards
Hasse.
--YiEDa0DAkWCtVeE4
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAEBAgAGBQJUVlFsAAoJELatlRZF6goTuIIIAIL18DVJtxewxKZ7Zo3geIR2
Pr+h5UbYDrJreokQT/0mW0SB/ZtDclrA3mfDjErPfGS2SUh924/uu3CjKiRcaqWq
XnMYufgwAWJGQIm3xOQop+07lhLbKpE8xlT/FCcvCmPRPtm4v+jv9Be7/MnKhLe/
0Au2dZBlJk8z75kktMzY7cQ4UOlbULutj+yAhWphOfttt3FsKQE+coi2v4MiaDZm
yhGXZ3bCJoqrT/YEdFKUzL1ITvxntKcjLbHuDMsdxIAZQC8DC1kB9ykpsJqC/xuM
SECxiUBKi4jB7+dE2p60fNr58xp5f+EBC/VFfluoG6e4o7mqWk2KYDdDBfbTqSo=
=PNNJ
-----END PGP SIGNATURE-----
--YiEDa0DAkWCtVeE4--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20141102154444.GA42429>