From owner-freebsd-questions@FreeBSD.ORG Tue Nov 4 02:58:45 2014 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 26097D61 for ; Tue, 4 Nov 2014 02:58:45 +0000 (UTC) Received: from relay.mailchannels.net (nov-007-i632.relay.mailchannels.net [46.232.183.186]) by mx1.freebsd.org (Postfix) with ESMTP id 11696119 for ; Tue, 4 Nov 2014 02:58:41 +0000 (UTC) X-Sender-Id: _forwarded-from|120.29.118.156 Received: from mail-24.name-services.com (ip-10-213-14-133.us-west-2.compute.internal [10.213.14.133]) by relay.mailchannels.net (Postfix) with ESMTPA id 69AC010005F; Tue, 4 Nov 2014 00:34:34 +0000 (UTC) X-Sender-Id: _forwarded-from|120.29.118.156 Received: from mail-24.name-services.com (mail-24.name-services.com [10.232.17.254]) (using TLSv1 with cipher AES128-SHA) by 0.0.0.0:2500 (trex/5.3.2); Tue, 04 Nov 2014 00:34:40 GMT X-MC-Relay: Forwarding X-MailChannels-SenderId: _forwarded-from|120.29.118.156 X-MailChannels-Auth-Id: demandmedia X-MC-Loop-Signature: 1415061277048:2118984574 X-MC-Ingress-Time: 1415061277047 Received: from [192.168.111.107] (UnknownHost [120.29.118.156]) by mail-24.name-services.com with SMTP; Mon, 3 Nov 2014 16:34:27 -0800 Message-ID: <54581F0E.4080404@a1poweruser.com> Date: Tue, 04 Nov 2014 08:34:22 +0800 From: Fbsd8 User-Agent: Thunderbird 2.0.0.24 (Windows/20100228) MIME-Version: 1.0 To: Hasse Hansson Subject: Re: sshguard pf References: <20141102154444.GA42429@ymer.thorshammare.org> In-Reply-To: <20141102154444.GA42429@ymer.thorshammare.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-questions@freebsd.org X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 04 Nov 2014 02:58:45 -0000 Hasse Hansson wrote: > Hello > > uname -a > FreeBSD ymer.thorshammare.org 10.1-RC3 FreeBSD 10.1-RC3 #0 r273437: Wed Oct 22 01:27:10 UTC 2014 > root@releng1.nyi.freebsd.org:/usr/obj/usr/src/sys/GENERIC i386 > > I have a bit problems to get some bots blocked. I'm running pf and sshguard. Even tried fail2ban > Below is a snippet from my auth.log showing sshguard blocking som IPs, but nor the bot scans. > Both tables abusers and sshguard are empty and allways was. > This junk is filling up my logfiles. > Any clues what I'm doing wrong or missing ? > > I'm running two crontabs : > # Sshguard > 0/1 * * * * root pfctl -t sshguard -T show >/etc/sshguard 2>/dev/null > # > # Bruteforce ssh > 0/2 * * * * root pfctl -t abusers -T show >/etc/abusers 2>/dev/null > > > In /etc/ssh/sshd_config I've uncommented : > Port 22 > AddressFamily any > Protocol 2 > SyslogFacility AUTH > LogLevel INFO > > # Authentication: > > LoginGraceTime 1m > PermitRootLogin no > StrictModes yes > MaxAuthTries 5 > MaxSessions 10 > > PasswordAuthentication no > PermitEmptyPasswords no > ChallengeResponseAuthentication no > > MaxStartups 10:30:100 > > In my /etc/rc.conf I have : > pf_enable="YES" > pflog_enable="YES" > pflog_logfile="/var/log/pflog" > sshguard_enable="YES" > sshguard_safety_thresh="30" > sshguard_pardon_min_interval="600" > sshguard_prescribe_interval="7200" > > In /etc/pf.conf : > ext_if="fxp0" > int_if="xl0" > webports="{ http, https }" > > table counters persist > table persist > > set skip on lo > scrub in > > block in > pass out > > block quick from to any > block drop in log quick on $ext_if inet from to any > > pass in on $ext_if proto tcp to any port ssh flags S/SA keep state (max-src-conn 10, max-src-conn-rate 2/120, overload flush) > > antispoof quick for { lo $ext_if $int_if } > > pass in on $ext_if proto tcp to ($ext_if) port ssh > pass in log on $ext_if proto tcp to ($ext_if) port smtp > pass out log on $ext_if proto tcp from ($ext_if) to port smtp > pass in log on $ext_if proto tcp to ($ext_if) port $webports > pass out log on $ext_if proto tcp from ($ext_if) to port $webports > > pass in on $ext_if inet proto icmp from any to ($ext_if) icmp-type { unreach, redir, timex } > > > Nov 2 07:51:13 ymer sshguard[19225]: Blocking 103.27.24.106:4 for >900secs: 30 danger in 3 attacks over 18 seconds (all: 30d in 1 abuses over 18s). > Nov 2 10:35:35 ymer sshguard[19225]: Blocking 60.190.71.52:4 for >900secs: 30 danger in 3 attacks over 8 seconds (all: 30d in 1 abuses over 8s). > Nov 2 11:09:50 ymer sshguard[19225]: Blocking 122.225.97.105:4 for >900secs: 30 danger in 3 attacks over 65 seconds (all: 30d in 1 abuses over 65s). > Nov 2 13:10:52 ymer sshguard[19225]: Blocking 50.30.32.19:4 for >900secs: 30 danger in 3 attacks over 4 seconds (all: 30d in 1 abuses over 4s). > Nov 2 14:34:55 ymer sshguard[19225]: Blocking 61.174.51.212:4 for >900secs: 30 danger in 3 attacks over 69 seconds (all: 30d in 1 abuses over 69s). > > Nov 2 16:32:09 ymer sshd[42957]: Connection from 202.109.143.110 port 3453 on 192.168.1.2 port 22 > Nov 2 16:32:13 ymer sshd[42957]: Disconnecting: Too many authentication failures for root [preauth] > Nov 2 16:32:14 ymer sshd[42959]: Connection from 202.109.143.110 port 2838 on 192.168.1.2 port 22 > Nov 2 16:32:17 ymer sshd[42959]: Disconnecting: Too many authentication failures for root [preauth] > Nov 2 16:32:21 ymer sshd[42961]: Connection from 202.109.143.110 port 3611 on 192.168.1.2 port 22 > Nov 2 16:32:34 ymer sshd[42961]: Disconnecting: Too many authentication failures for root [preauth] > Nov 2 16:32:41 ymer sshd[42963]: Connection from 202.109.143.110 port 2507 on 192.168.1.2 port 22 > Nov 2 16:32:48 ymer sshd[42963]: Disconnecting: Too many authentication failures for root [preauth] > Nov 2 16:32:49 ymer sshd[42965]: Connection from 202.109.143.110 port 4650 on 192.168.1.2 port 22 > Nov 2 16:32:52 ymer sshd[42965]: Disconnecting: Too many authentication failures for root [preauth] > Nov 2 16:32:52 ymer sshd[42967]: Connection from 202.109.143.110 port 4650 on 192.168.1.2 port 22 > Nov 2 16:33:01 ymer sshd[42967]: Disconnecting: Too many authentication failures for root [preauth] > Nov 2 16:33:02 ymer sshd[42983]: Connection from 202.109.143.110 port 4316 on 192.168.1.2 port 22 > Nov 2 16:33:12 ymer sshd[42983]: Disconnecting: Too many authentication failures for root [preauth] > Nov 2 16:33:18 ymer sshd[42985]: Connection from 202.109.143.110 port 2539 on 192.168.1.2 port 22 > Nov 2 16:33:27 ymer sshd[42985]: Disconnecting: Too many authentication failures for root [preauth] > Nov 2 16:33:28 ymer sshd[42987]: Connection from 202.109.143.110 port 4555 on 192.168.1.2 port 22 > Nov 2 16:33:35 ymer sshd[42987]: Disconnecting: Too many authentication failures for root [preauth] > Nov 2 16:33:38 ymer sshd[42989]: Connection from 202.109.143.110 port 3164 on 192.168.1.2 port 22 > Nov 2 16:33:43 ymer sshd[42989]: Disconnecting: Too many authentication failures for root [preauth] > Nov 2 16:33:43 ymer sshd[42991]: Connection from 202.109.143.110 port 4749 on 192.168.1.2 port 22 > Nov 2 16:33:52 ymer sshd[42991]: fatal: Read from socket failed: Connection reset by peer [preauth] > > > Best Regards > Hasse. You are being attacked by script kiddies and bots, they scan a whole ip address range looking for open port 22 and when its found they start their login attack. Changing ssh to use some other port number will stop this attack all together. I changed ssh to use port '4422' 25 years ago and no attacks since. Another way is to use the port named 'knock' to temporary open port 22 if proceeded by knock