Date: Sun, 2 Nov 2014 16:44:44 +0100 From: Hasse Hansson <hasse@thorshammare.org> To: freebsd-questions@freebsd.org Subject: sshguard pf Message-ID: <20141102154444.GA42429@ymer.thorshammare.org>
next in thread | raw e-mail | index | archive | help
--YiEDa0DAkWCtVeE4 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hello uname -a FreeBSD ymer.thorshammare.org 10.1-RC3 FreeBSD 10.1-RC3 #0 r273437: Wed Oct= 22 01:27:10 UTC 2014=20 root@releng1.nyi.freebsd.org:/usr/obj/usr/src/sys/GENERIC i386 I have a bit problems to get some bots blocked. I'm running pf and sshguard= =2E Even tried fail2ban Below is a snippet from my auth.log showing sshguard blocking som IPs, but = nor the bot scans. Both tables abusers and sshguard are empty and allways was. This junk is filling up my logfiles.=20 Any clues what I'm doing wrong or missing ?=20 I'm running two crontabs : # Sshguard 0/1 * * * * root pfctl -t sshguard -T show >/et= c/sshguard 2>/dev/null # # Bruteforce ssh 0/2 * * * * root pfctl -t abusers -T show >/etc= /abusers 2>/dev/null In /etc/ssh/sshd_config I've uncommented : Port 22 AddressFamily any Protocol 2 SyslogFacility AUTH LogLevel INFO # Authentication: LoginGraceTime 1m PermitRootLogin no StrictModes yes MaxAuthTries 5 MaxSessions 10 PasswordAuthentication no PermitEmptyPasswords no ChallengeResponseAuthentication no MaxStartups 10:30:100 In my /etc/rc.conf I have : pf_enable=3D"YES" pflog_enable=3D"YES" pflog_logfile=3D"/var/log/pflog" sshguard_enable=3D"YES" sshguard_safety_thresh=3D"30" sshguard_pardon_min_interval=3D"600" sshguard_prescribe_interval=3D"7200" In /etc/pf.conf : ext_if=3D"fxp0" int_if=3D"xl0" webports=3D"{ http, https }" table <abusers> counters persist table <sshguard> persist set skip on lo scrub in block in pass out block quick from <abusers> to any block drop in log quick on $ext_if inet from <sshguard> to any pass in on $ext_if proto tcp to any port ssh flags S/SA keep state (max-src= -conn 10, max-src-conn-rate 2/120, overload <abusers> flush) antispoof quick for { lo $ext_if $int_if } pass in on $ext_if proto tcp to ($ext_if) port ssh pass in log on $ext_if proto tcp to ($ext_if) port smtp pass out log on $ext_if proto tcp from ($ext_if) to port smtp pass in log on $ext_if proto tcp to ($ext_if) port $webports pass out log on $ext_if proto tcp from ($ext_if) to port $webports pass in on $ext_if inet proto icmp from any to ($ext_if) icmp-type { unreac= h, redir, timex } <snip> Nov 2 07:51:13 ymer sshguard[19225]: Blocking 103.27.24.106:4 for >900secs= : 30 danger in 3 attacks over 18 seconds (all: 30d in 1 abuses over 18s). Nov 2 10:35:35 ymer sshguard[19225]: Blocking 60.190.71.52:4 for >900secs:= 30 danger in 3 attacks over 8 seconds (all: 30d in 1 abuses over 8s). Nov 2 11:09:50 ymer sshguard[19225]: Blocking 122.225.97.105:4 for >900sec= s: 30 danger in 3 attacks over 65 seconds (all: 30d in 1 abuses over 65s). Nov 2 13:10:52 ymer sshguard[19225]: Blocking 50.30.32.19:4 for >900secs: = 30 danger in 3 attacks over 4 seconds (all: 30d in 1 abuses over 4s). Nov 2 14:34:55 ymer sshguard[19225]: Blocking 61.174.51.212:4 for >900secs= : 30 danger in 3 attacks over 69 seconds (all: 30d in 1 abuses over 69s). Nov 2 16:32:09 ymer sshd[42957]: Connection from 202.109.143.110 port 3453= on 192.168.1.2 port 22 Nov 2 16:32:13 ymer sshd[42957]: Disconnecting: Too many authentication fa= ilures for root [preauth] Nov 2 16:32:14 ymer sshd[42959]: Connection from 202.109.143.110 port 2838= on 192.168.1.2 port 22 Nov 2 16:32:17 ymer sshd[42959]: Disconnecting: Too many authentication fa= ilures for root [preauth] Nov 2 16:32:21 ymer sshd[42961]: Connection from 202.109.143.110 port 3611= on 192.168.1.2 port 22 Nov 2 16:32:34 ymer sshd[42961]: Disconnecting: Too many authentication fa= ilures for root [preauth] Nov 2 16:32:41 ymer sshd[42963]: Connection from 202.109.143.110 port 2507= on 192.168.1.2 port 22 Nov 2 16:32:48 ymer sshd[42963]: Disconnecting: Too many authentication fa= ilures for root [preauth] Nov 2 16:32:49 ymer sshd[42965]: Connection from 202.109.143.110 port 4650= on 192.168.1.2 port 22 Nov 2 16:32:52 ymer sshd[42965]: Disconnecting: Too many authentication fa= ilures for root [preauth] Nov 2 16:32:52 ymer sshd[42967]: Connection from 202.109.143.110 port 4650= on 192.168.1.2 port 22 Nov 2 16:33:01 ymer sshd[42967]: Disconnecting: Too many authentication fa= ilures for root [preauth] Nov 2 16:33:02 ymer sshd[42983]: Connection from 202.109.143.110 port 4316= on 192.168.1.2 port 22 Nov 2 16:33:12 ymer sshd[42983]: Disconnecting: Too many authentication fa= ilures for root [preauth] Nov 2 16:33:18 ymer sshd[42985]: Connection from 202.109.143.110 port 2539= on 192.168.1.2 port 22 Nov 2 16:33:27 ymer sshd[42985]: Disconnecting: Too many authentication fa= ilures for root [preauth] Nov 2 16:33:28 ymer sshd[42987]: Connection from 202.109.143.110 port 4555= on 192.168.1.2 port 22 Nov 2 16:33:35 ymer sshd[42987]: Disconnecting: Too many authentication fa= ilures for root [preauth] Nov 2 16:33:38 ymer sshd[42989]: Connection from 202.109.143.110 port 3164= on 192.168.1.2 port 22 Nov 2 16:33:43 ymer sshd[42989]: Disconnecting: Too many authentication fa= ilures for root [preauth] Nov 2 16:33:43 ymer sshd[42991]: Connection from 202.109.143.110 port 4749= on 192.168.1.2 port 22 Nov 2 16:33:52 ymer sshd[42991]: fatal: Read from socket failed: Connectio= n reset by peer [preauth] </snip> Best Regards Hasse. --YiEDa0DAkWCtVeE4 Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBAgAGBQJUVlFsAAoJELatlRZF6goTuIIIAIL18DVJtxewxKZ7Zo3geIR2 Pr+h5UbYDrJreokQT/0mW0SB/ZtDclrA3mfDjErPfGS2SUh924/uu3CjKiRcaqWq XnMYufgwAWJGQIm3xOQop+07lhLbKpE8xlT/FCcvCmPRPtm4v+jv9Be7/MnKhLe/ 0Au2dZBlJk8z75kktMzY7cQ4UOlbULutj+yAhWphOfttt3FsKQE+coi2v4MiaDZm yhGXZ3bCJoqrT/YEdFKUzL1ITvxntKcjLbHuDMsdxIAZQC8DC1kB9ykpsJqC/xuM SECxiUBKi4jB7+dE2p60fNr58xp5f+EBC/VFfluoG6e4o7mqWk2KYDdDBfbTqSo= =PNNJ -----END PGP SIGNATURE----- --YiEDa0DAkWCtVeE4--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20141102154444.GA42429>