Date: Tue, 24 Apr 2007 14:00:41 -0400 From: "Dave" <dmehler26@woh.rr.com> To: <freebsd-pf@freebsd.org> Subject: preventing ssh brute force attacks, swatch and users and table Message-ID: <00b701c7869a$795c0db0$0200a8c0@satellite>
next in thread | raw e-mail | index | archive | help
Hello,
I've got a machine running ssh and i'm trying to cut down on brute force
attacks on it. I'm running pf on a freebsd 6.2 box and have added in swatch
to try to curve these attacks. The problem is nothing is being added to
either the memory hackers table nor the ondisk copy of it. I know i'm
getting hits because i'm seeing entries in my auth.log like this:
Apr 21 06:18:38 zeus sshd[10609]: Did not receive identification string from
125.33.163.188
Apr 21 06:22:55 zeus sshd[10658]: User root from 125.33.163.188 not allowed
because none of user's groups are listed in AllowGroups
Apr 21 06:22:55 zeus sshd[10658]: Failed password for invalid user root from
125.33.163.188 port 54521 ssh2
Apr 21 06:22:57 zeus sshd[10660]: User root from 125.33.163.188 not allowed
because none of user's groups are listed in AllowGroups
Apr 21 06:22:57 zeus sshd[10660]: Failed password for invalid user root from
125.33.163.188 port 54727 ssh2
Apr 24 00:52:08 zeus sshd[7746]: Failed password for invalid user root from
218.205.231.39 port 61694 ssh2
Apr 24 00:52:11 zeus sshd[7749]: User root from 218.205.231.39 not allowed
because none of user's groups are listed in AllowGroups
Apr 24 00:52:11 zeus sshd[7749]: Failed password for invalid user root from
218.205.231.39 port 61773 ssh2
I don't want to move my ssh, i feel these bots would just find it again. I'm
also getting postfix atempts i'd like to block them both. My swatch
configuration looks like this:
rc.conf
swatch_enable="YES"
swatch_rules="1"
swatch_1_flags="--config-file=/usr/local/etc/swatchrc --tail-file=/var/log/auth.log
--daemon --pid-file=/var/run/swatch.pid"
swatch_1_user="root"
swatch_1_chdir="/var/tmp"
swatch_1_pidfile="/var/run/swatch.pid"
In pf i have a block by default policy and i've got these lines:
table <hackers> persist file "/etc/hackers"
block all
block in quick on $ext_if from <hackers> to any
and /usr/local/etc/swatchrc calls a script that looks like:
#!/bin/sh
/sbin/pfctl -t hackers -T add $1
/bin/echo $1 >> /etc/hackers
/usr/bin/logger swatch: $1 caught with bad login. Added to hackers pf table
If there's a better way that i can get both ssh and smtp bots i'd like to
know about it, also if my config is wrong let me know it's not working. One
thing, i do not want to unblock atempted hackings, my feeling is those that
do it should have no further interactions with my machines on any level.
Thanks.
Dave.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?00b701c7869a$795c0db0$0200a8c0>