Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 5 Oct 2005 14:53:03 -0500
From:      Noel Jones <noeldude@gmail.com>
To:        freebsd-questions@freebsd.org
Subject:   Re: bruteforceblocker + PF
Message-ID:  <cce506b0510051253r2ca4f6eeg618238d94d468fb8@mail.gmail.com>
In-Reply-To: <200510051204.54331.eayesta@portugalete.uned.es>
References:  <200510051204.54331.eayesta@portugalete.uned.es>
next in thread | previous in thread | raw e-mail | index | archive | help 
On 10/5/05, Enrique Ayesta Perojo <eayesta@portugalete.uned.es> wrote:
> Hello, i'm trying to install the bruteforceblocker script to stop ssh att=
acks,
> but i'm having a problem with PF because it seems not to block the attack=
er
> ip.
>
> The machine is connected to internet and has some needed services for the=
 LAN,
> so i want to log and block only outside attacks.
>
> The bruteforceblocker script seems to be working, because i can read the
> initial time of it at /var/log/auth.log, so i think the problem may be at=
 my
> pf configuration.
>
> Any help?
>
> Thanks a lot
>
> ####/etc/pf.conf####
> table <bruteforce> persist file "/var/log/bruteforce"
>
> # options
> set block-policy return
> set loginterface $ext_if
>
> # scrub
> scrub in all
>
> # filter rules
> block all
>
> pass quick on lo0 all
>
> pass in  on bge0 from 10.200.62.0/24 to 10.200.62.17
> pass out on bge0 from 10.200.62.17 to 10.200.62.0/24
>
> block in log quick inet proto tcp from <bruteforce> to any port ssh


I'm going to assume this is just a small part of your pf.conf, because
the part you show doesn't allow any internet access.  Maybe you should
show us your entire pf.conf.

Do your rules display as expected?
# pfctl -s rules

Did you reload pf after you edited pf.conf?
# pfctl -f /etc/pf.conf

Are you testing this from outside the 10.200.x.x network?

In your auth.log do you see bruteforceblocker messages such as:

220.92.126.217 was logged with total count of 1.

when an ssh login fails?
And then after $max_attempts is exceeded you should see:

IP 202.92.126.217 reached the maximum number of failed attempts!!!
Adding IP to the firewall...

--
Noel Jones

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?cce506b0510051253r2ca4f6eeg618238d94d468fb8>