Date: Wed, 15 Nov 2006 00:35:08 -0800 From: "Leo L. Schwab" <ewhac@best.com> To: freebsd-questions@freebsd.org Subject: Re: Blocking SSH Brute-Force Attacks: What Am I Doing Wrong? (Solved!) Message-ID: <20061115083508.GA20738@best.com> In-Reply-To: <455836A2.6010004@gmx.net> References: <20061113060528.GA7646@best.com> <455836A2.6010004@gmx.net>
next in thread | previous in thread | raw e-mail | index | archive | help
After instrumenting 'bruteblock' (and accidentally causing auth.log to explode), I discovered that the ssh.conf file that ships with it won't work on FreeBSD 6.1 (or at least my copy of it). The shipped regexp looks for "illegal" users. But 'sshd' on FreeBSD 6.1 records login attempts of "invalid" users. The patch appended below got it to work on my system. My thanks to everyone who chimed in with suggestions. They were greatly appreciated. Schwab --- ssh.conf.dist Mon Oct 30 21:17:34 2006 +++ ssh.conf Wed Nov 15 00:20:29 2006 @@ -6,16 +6,16 @@ # this regexp for the OpenSSH server matches lines like: # # comment: auth via key only -#sshd[72593]: Illegal user hacker from 1.2.3.4 +#sshd[72593]: Invalid user hacker from 1.2.3.4 # # comment: pwd auth, but no such user -#sshd[72593]: Failed password for illegal user sammmm from 1.2.3.4 +#sshd[72593]: Failed password for invalid user sammmm from 1.2.3.4 # # comment: correct user, but wrong password #sshd[72626]: Failed password for samm from 1.2.3.4 # -regexp = sshd.*Illegal user \S+ from (\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}) -regexp1 = sshd.*Failed password for (?:illegal user )?\S+ from (\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}) +regexp = sshd.*Invalid user \S+ from (\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}) +regexp1 = sshd.*Failed password for (?:invalid user )?\S+ from (\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}) # Number of failed login attempts within time before we block max_count = 4
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20061115083508.GA20738>