Date: Tue, 2 Nov 2010 10:03:11 -0700 (PDT) From: "Justin V." <vic@yeaguy.com> To: Rob Farmer <rfarmer@predatorlabs.net> Cc: freebsd-questions@freebsd.org Subject: Re: SSHgaurd and PF Message-ID: <alpine.BSF.2.00.1011021001001.18489@yeaguy.com> In-Reply-To: <AANLkTikq%2BgYWD=SEY4nKboV7QUTk9DQdj2bkJ_CRpoAv@mail.gmail.com> References: <alpine.BSF.2.00.1011020930390.17971@yeaguy.com> <AANLkTikq%2BgYWD=SEY4nKboV7QUTk9DQdj2bkJ_CRpoAv@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. --623271173-1366268797-1288717392=:18489 Content-Type: TEXT/PLAIN; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8BIT On Tue, 2 Nov 2010, Rob Farmer wrote: > On Tue, Nov 2, 2010 at 09:34, Justin V. <vic@yeaguy.com> wrote: >> Hi, >> >> Would this be considered bruteforce?? > > Yes > >> >> This goes on and on: >> >> >> Nov 2 05:42:19 yeaguy pure-ftpd: (?@a214.amber.fastwebserver.de) [WARNING] >> Authentication failed for user [Administrator] >> Nov 2 05:42:53 yeaguy last message repeated 3 times > [...] >> >> My sshgaurd config: > > Something isn't set up right if you are getting that many attempts - > it should kill them right away: > > Nov 1 10:47:51 peridot sshd[77847]: reverse mapping checking > getaddrinfo for 178-238-137-213.hostnoc.eu [178.238.137.213] failed - > POSSIBLE BREAK-IN ATTEMPT! > Nov 1 10:47:53 peridot sshd[77967]: reverse mapping checking > getaddrinfo for 178-238-137-213.hostnoc.eu [178.238.137.213] failed - > POSSIBLE BREAK-IN ATTEMPT! > Nov 1 10:47:54 peridot sshd[78123]: reverse mapping checking > getaddrinfo for 178-238-137-213.hostnoc.eu [178.238.137.213] failed - > POSSIBLE BREAK-IN ATTEMPT! > Nov 1 10:47:56 peridot sshd[78228]: reverse mapping checking > getaddrinfo for 178-238-137-213.hostnoc.eu [178.238.137.213] failed - > POSSIBLE BREAK-IN ATTEMPT! > Nov 1 10:47:56 peridot sshguard[49177]: Blocking 178.238.137.213:4 > for >420secs: 4 failures over 5 seconds. > > Do you have the syslog.conf part set up as well as the pf part? I've > only used it for ssh but something like the following needs to be > there: > > auth.info;authpriv.info |exec /usr/local/sbin/sshguard > >> yeaguy# nslookup a214.amber.fastwebserver.de >> Server: 10.1.1.1 >> Address: 10.1.1.1#53 >> >> Non-authoritative answer: >> Name: a214.amber.fastwebserver.de >> Address: 217.79.189.214 >> > > I wouldn't waste your time trying to find out who they are - just > block and move on. That site is probably a shared web hosting account > that was compromised by a bad php script - even if you successfully > complain (assuming it is a legit hoster that cares) and they do > something about it, there are thousands more. > > -- > Rob Farmer > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" > This is the guide I used: http://www.sshguard.net/docs/setup/firewall/pf/ I followed this section to block all brute attempts: Add this line in the packet filtering (rules) section: block in quick on $ext_if proto tcp from <sshguard> to any port 22 label "ssh bruteforce" Replace $ext_if with your WAN interface name if needed. Omit the proto tcp and the to any port 22 segment if you want to block all the traffic from attackers (not just ssh). I really like this port, just keeps the logs from filling up.. Im not going to email their abuse desk just wishing that sshguard would do what I expected it to do via the how to.. :( --623271173-1366268797-1288717392=:18489--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?alpine.BSF.2.00.1011021001001.18489>