Date: Tue, 24 Apr 2007 14:00:41 -0400 From: "Dave" <dmehler26@woh.rr.com> To: <freebsd-pf@freebsd.org> Subject: preventing ssh brute force attacks, swatch and users and table Message-ID: <00b701c7869a$795c0db0$0200a8c0@satellite>
next in thread | raw e-mail | index | archive | help
Hello, I've got a machine running ssh and i'm trying to cut down on brute force attacks on it. I'm running pf on a freebsd 6.2 box and have added in swatch to try to curve these attacks. The problem is nothing is being added to either the memory hackers table nor the ondisk copy of it. I know i'm getting hits because i'm seeing entries in my auth.log like this: Apr 21 06:18:38 zeus sshd[10609]: Did not receive identification string from 125.33.163.188 Apr 21 06:22:55 zeus sshd[10658]: User root from 125.33.163.188 not allowed because none of user's groups are listed in AllowGroups Apr 21 06:22:55 zeus sshd[10658]: Failed password for invalid user root from 125.33.163.188 port 54521 ssh2 Apr 21 06:22:57 zeus sshd[10660]: User root from 125.33.163.188 not allowed because none of user's groups are listed in AllowGroups Apr 21 06:22:57 zeus sshd[10660]: Failed password for invalid user root from 125.33.163.188 port 54727 ssh2 Apr 24 00:52:08 zeus sshd[7746]: Failed password for invalid user root from 218.205.231.39 port 61694 ssh2 Apr 24 00:52:11 zeus sshd[7749]: User root from 218.205.231.39 not allowed because none of user's groups are listed in AllowGroups Apr 24 00:52:11 zeus sshd[7749]: Failed password for invalid user root from 218.205.231.39 port 61773 ssh2 I don't want to move my ssh, i feel these bots would just find it again. I'm also getting postfix atempts i'd like to block them both. My swatch configuration looks like this: rc.conf swatch_enable="YES" swatch_rules="1" swatch_1_flags="--config-file=/usr/local/etc/swatchrc --tail-file=/var/log/auth.log --daemon --pid-file=/var/run/swatch.pid" swatch_1_user="root" swatch_1_chdir="/var/tmp" swatch_1_pidfile="/var/run/swatch.pid" In pf i have a block by default policy and i've got these lines: table <hackers> persist file "/etc/hackers" block all block in quick on $ext_if from <hackers> to any and /usr/local/etc/swatchrc calls a script that looks like: #!/bin/sh /sbin/pfctl -t hackers -T add $1 /bin/echo $1 >> /etc/hackers /usr/bin/logger swatch: $1 caught with bad login. Added to hackers pf table If there's a better way that i can get both ssh and smtp bots i'd like to know about it, also if my config is wrong let me know it's not working. One thing, i do not want to unblock atempted hackings, my feeling is those that do it should have no further interactions with my machines on any level. Thanks. Dave.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?00b701c7869a$795c0db0$0200a8c0>