Date: Tue, 04 Nov 2014 08:34:22 +0800 From: Fbsd8 <fbsd8@a1poweruser.com> To: Hasse Hansson <hasse@thorshammare.org> Cc: freebsd-questions@freebsd.org Subject: Re: sshguard pf Message-ID: <54581F0E.4080404@a1poweruser.com> In-Reply-To: <20141102154444.GA42429@ymer.thorshammare.org> References: <20141102154444.GA42429@ymer.thorshammare.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Hasse Hansson wrote:
> Hello
>
> uname -a
> FreeBSD ymer.thorshammare.org 10.1-RC3 FreeBSD 10.1-RC3 #0 r273437: Wed Oct 22 01:27:10 UTC 2014
> root@releng1.nyi.freebsd.org:/usr/obj/usr/src/sys/GENERIC i386
>
> I have a bit problems to get some bots blocked. I'm running pf and sshguard. Even tried fail2ban
> Below is a snippet from my auth.log showing sshguard blocking som IPs, but nor the bot scans.
> Both tables abusers and sshguard are empty and allways was.
> This junk is filling up my logfiles.
> Any clues what I'm doing wrong or missing ?
>
> I'm running two crontabs :
> # Sshguard
> 0/1 * * * * root pfctl -t sshguard -T show >/etc/sshguard 2>/dev/null
> #
> # Bruteforce ssh
> 0/2 * * * * root pfctl -t abusers -T show >/etc/abusers 2>/dev/null
>
>
> In /etc/ssh/sshd_config I've uncommented :
> Port 22
> AddressFamily any
> Protocol 2
> SyslogFacility AUTH
> LogLevel INFO
>
> # Authentication:
>
> LoginGraceTime 1m
> PermitRootLogin no
> StrictModes yes
> MaxAuthTries 5
> MaxSessions 10
>
> PasswordAuthentication no
> PermitEmptyPasswords no
> ChallengeResponseAuthentication no
>
> MaxStartups 10:30:100
>
> In my /etc/rc.conf I have :
> pf_enable="YES"
> pflog_enable="YES"
> pflog_logfile="/var/log/pflog"
> sshguard_enable="YES"
> sshguard_safety_thresh="30"
> sshguard_pardon_min_interval="600"
> sshguard_prescribe_interval="7200"
>
> In /etc/pf.conf :
> ext_if="fxp0"
> int_if="xl0"
> webports="{ http, https }"
>
> table <abusers> counters persist
> table <sshguard> persist
>
> set skip on lo
> scrub in
>
> block in
> pass out
>
> block quick from <abusers> to any
> block drop in log quick on $ext_if inet from <sshguard> to any
>
> pass in on $ext_if proto tcp to any port ssh flags S/SA keep state (max-src-conn 10, max-src-conn-rate 2/120, overload <abusers> flush)
>
> antispoof quick for { lo $ext_if $int_if }
>
> pass in on $ext_if proto tcp to ($ext_if) port ssh
> pass in log on $ext_if proto tcp to ($ext_if) port smtp
> pass out log on $ext_if proto tcp from ($ext_if) to port smtp
> pass in log on $ext_if proto tcp to ($ext_if) port $webports
> pass out log on $ext_if proto tcp from ($ext_if) to port $webports
>
> pass in on $ext_if inet proto icmp from any to ($ext_if) icmp-type { unreach, redir, timex }
>
> <snip>
> Nov 2 07:51:13 ymer sshguard[19225]: Blocking 103.27.24.106:4 for >900secs: 30 danger in 3 attacks over 18 seconds (all: 30d in 1 abuses over 18s).
> Nov 2 10:35:35 ymer sshguard[19225]: Blocking 60.190.71.52:4 for >900secs: 30 danger in 3 attacks over 8 seconds (all: 30d in 1 abuses over 8s).
> Nov 2 11:09:50 ymer sshguard[19225]: Blocking 122.225.97.105:4 for >900secs: 30 danger in 3 attacks over 65 seconds (all: 30d in 1 abuses over 65s).
> Nov 2 13:10:52 ymer sshguard[19225]: Blocking 50.30.32.19:4 for >900secs: 30 danger in 3 attacks over 4 seconds (all: 30d in 1 abuses over 4s).
> Nov 2 14:34:55 ymer sshguard[19225]: Blocking 61.174.51.212:4 for >900secs: 30 danger in 3 attacks over 69 seconds (all: 30d in 1 abuses over 69s).
>
> Nov 2 16:32:09 ymer sshd[42957]: Connection from 202.109.143.110 port 3453 on 192.168.1.2 port 22
> Nov 2 16:32:13 ymer sshd[42957]: Disconnecting: Too many authentication failures for root [preauth]
> Nov 2 16:32:14 ymer sshd[42959]: Connection from 202.109.143.110 port 2838 on 192.168.1.2 port 22
> Nov 2 16:32:17 ymer sshd[42959]: Disconnecting: Too many authentication failures for root [preauth]
> Nov 2 16:32:21 ymer sshd[42961]: Connection from 202.109.143.110 port 3611 on 192.168.1.2 port 22
> Nov 2 16:32:34 ymer sshd[42961]: Disconnecting: Too many authentication failures for root [preauth]
> Nov 2 16:32:41 ymer sshd[42963]: Connection from 202.109.143.110 port 2507 on 192.168.1.2 port 22
> Nov 2 16:32:48 ymer sshd[42963]: Disconnecting: Too many authentication failures for root [preauth]
> Nov 2 16:32:49 ymer sshd[42965]: Connection from 202.109.143.110 port 4650 on 192.168.1.2 port 22
> Nov 2 16:32:52 ymer sshd[42965]: Disconnecting: Too many authentication failures for root [preauth]
> Nov 2 16:32:52 ymer sshd[42967]: Connection from 202.109.143.110 port 4650 on 192.168.1.2 port 22
> Nov 2 16:33:01 ymer sshd[42967]: Disconnecting: Too many authentication failures for root [preauth]
> Nov 2 16:33:02 ymer sshd[42983]: Connection from 202.109.143.110 port 4316 on 192.168.1.2 port 22
> Nov 2 16:33:12 ymer sshd[42983]: Disconnecting: Too many authentication failures for root [preauth]
> Nov 2 16:33:18 ymer sshd[42985]: Connection from 202.109.143.110 port 2539 on 192.168.1.2 port 22
> Nov 2 16:33:27 ymer sshd[42985]: Disconnecting: Too many authentication failures for root [preauth]
> Nov 2 16:33:28 ymer sshd[42987]: Connection from 202.109.143.110 port 4555 on 192.168.1.2 port 22
> Nov 2 16:33:35 ymer sshd[42987]: Disconnecting: Too many authentication failures for root [preauth]
> Nov 2 16:33:38 ymer sshd[42989]: Connection from 202.109.143.110 port 3164 on 192.168.1.2 port 22
> Nov 2 16:33:43 ymer sshd[42989]: Disconnecting: Too many authentication failures for root [preauth]
> Nov 2 16:33:43 ymer sshd[42991]: Connection from 202.109.143.110 port 4749 on 192.168.1.2 port 22
> Nov 2 16:33:52 ymer sshd[42991]: fatal: Read from socket failed: Connection reset by peer [preauth]
> </snip>
>
> Best Regards
> Hasse.
You are being attacked by script kiddies and bots, they scan a whole ip
address range looking for open port 22 and when its found they start
their login attack. Changing ssh to use some other port number will stop
this attack all together. I changed ssh to use port '4422' 25 years ago
and no attacks since. Another way is to use the port named 'knock' to
temporary open port 22 if proceeded by knock
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?54581F0E.4080404>