Site Navigation

Date:      Thu, 4 Nov 2010 14:18:11 +0000
From:      krad <kraduk@gmail.com>
To:        "Justin V." <vic@yeaguy.com>
Cc:        freebsd-questions@freebsd.org
Subject:   Re: SSHgaurd and PF
Message-ID:  <AANLkTimE8GP6YzzfVgKHAfsvAUAVNa=LBfCC9v6Ovdf9@mail.gmail.com>
In-Reply-To: <alpine.BSF.2.00.1011020930390.17971@yeaguy.com>
References:  <alpine.BSF.2.00.1011020930390.17971@yeaguy.com>

---

next in thread | previous in thread | raw e-mail | index | archive | help

---

On 2 November 2010 16:34, Justin V. <vic@yeaguy.com> wrote:

> Hi,
>
> Would this be considered bruteforce??
>
> This goes on and on:
>
>
> Nov  2 05:42:19 yeaguy pure-ftpd: (?@a214.amber.fastwebserver.de)
> [WARNING] Authentication failed for user [Administrator]
> Nov  2 05:42:53 yeaguy last message repeated 3 times
> Nov  2 05:43:11 yeaguy pure-ftpd: (?@a214.amber.fastwebserver.de)
> [WARNING] Authentication failed for user [Administrator]
> Nov  2 05:43:31 yeaguy pure-ftpd: (?@a214.amber.fastwebserver.de) [ERROR]
> Too many authentication failures
> Nov  2 05:43:35 yeaguy pure-ftpd: (?@a214.amber.fastwebserver.de)
> [WARNING] Authentication failed for user [Administrator]
> Nov  2 05:43:54 yeaguy last message repeated 2 times
> Nov  2 05:44:27 yeaguy last message repeated 2 times
> Nov  2 05:44:47 yeaguy pure-ftpd: (?@a214.amber.fastwebserver.de) [ERROR]
> Too many authentication failures
> Nov  2 05:44:53 yeaguy pure-ftpd: (?@a214.amber.fastwebserver.de)
> [WARNING] Authentication failed for user [Administrator]
> Nov  2 05:45:27 yeaguy last message repeated 3 times
> Nov  2 05:45:44 yeaguy pure-ftpd: (?@a214.amber.fastwebserver.de)
> [WARNING] Authentication failed for user [Administrator]
> Nov  2 05:46:05 yeaguy pure-ftpd: (?@a214.amber.fastwebserver.de) [ERROR]
> Too many authentication failures
> Nov  2 05:46:12 yeaguy pure-ftpd: (?@a214.amber.fastwebserver.de)
> [WARNING] Authentication failed for user [Administrator]
> Nov  2 05:46:47 yeaguy last message repeated 3 times
> Nov  2 05:47:03 yeaguy pure-ftpd: (?@a214.amber.fastwebserver.de)
> [WARNING] Authentication failed for user [Administrator]
> Nov  2 05:47:24 yeaguy pure-ftpd: (?@a214.amber.fastwebserver.de) [ERROR]
> Too many authentication failures
> Nov  2 05:47:31 yeaguy pure-ftpd: (?@a214.amber.fastwebserver.de)
> [WARNING] Authentication failed for user [Administrator]
> Nov  2 05:48:06 yeaguy last message repeated 3 times
> Nov  2 05:48:24 yeaguy pure-ftpd: (?@a214.amber.fastwebserver.de)
> [WARNING] Authentication failed for user [Administrator]
> Nov  2 05:48:45 yeaguy pure-ftpd: (?@a214.amber.fastwebserver.de) [ERROR]
> Too many authentication failures
> Nov  2 05:48:50 yeaguy pure-ftpd: (?@a214.amber.fastwebserver.de)
> [WARNING] Authentication failed for user [Administrator]
> Nov  2 05:49:25 yeaguy last message repeated 3 times
> Nov  2 05:49:42 yeaguy pure-ftpd: (?@a214.amber.fastwebserver.de)
> [WARNING] Authentication failed for user [Administrator]
> Nov  2 05:50:01 yeaguy pure-ftpd: (?@a214.amber.fastwebserver.de) [ERROR]
> Too many authentication failures
> Nov  2 05:50:08 yeaguy pure-ftpd: (?@a214.amber.fastwebserver.de)
> [WARNING] Authentication failed for user [Administrator]
> Nov  2 05:50:40 yeaguy last message repeated 3 times
> Nov  2 05:50:58 yeaguy pure-ftpd: (?@a214.amber.fastwebserver.de)
> [WARNING] Authentication failed for user [Administrator]
> Nov  2 05:51:20 yeaguy pure-ftpd: (?@a214.amber.fastwebserver.de) [ERROR]
> Too many authentication failures
> Nov  2 05:51:25 yeaguy pure-ftpd: (?@a214.amber.fastwebserver.de)
> [WARNING] Authentication failed for user [Administrator]
> Nov  2 05:51:59 yeaguy last message repeated 3 times
> Nov  2 05:52:16 yeaguy pure-ftpd: (?@a214.amber.fastwebserver.de)
> [WARNING] Authentication failed for user [Administrator]
>
>
>
> My sshgaurd config:
>
>
>
> #       $FreeBSD: src/share/examples/pf/pf.conf,v 1.1.4.1.4.1 2010/06/14
> 02:09:06 kensmith Exp $
> #       $OpenBSD: pf.conf,v 1.34 2007/02/24 19:30:59 millert Exp $
> #
> # See pf.conf(5) and /usr/share/examples/pf for syntax and examples.
> # Remember to set net.inet.ip.forwarding=1 and/or
> net.inet6.ip6.forwarding=1
> # in /etc/sysctl.conf if packets are to be forwarded between interfaces.
>
> ext_if="wlan0"
> #int_if="int0"
>
> #table <spamd-white> persist
> table <sshguard> persist
>
> #set skip on lo
>
> #scrub in
>
> #nat-anchor "ftp-proxy/*"
> #rdr-anchor "ftp-proxy/*"
> #nat on $ext_if from !($ext_if) -> ($ext_if:0)
> #rdr pass on $int_if proto tcp to port ftp -> 127.0.0.1 port 8021
> #no rdr on $ext_if proto tcp from <spamd-white> to any port smtp
> #rdr pass on $ext_if proto tcp from any to any port smtp \
> #       -> 127.0.0.1 port spamd
>
> #anchor "ftp-proxy/*"
> #block in
> block in log quick on $ext_if from <sshguard> label "bruteforce"
> #pass out
>
> #pass quick on $int_if no state
> #antispoof quick for { lo $int_if }
>
> #pass in on $ext_if proto tcp to ($ext_if) port ssh
> #pass in log on $ext_if proto tcp to ($ext_if) port smtp
> #pass out log on $ext_if proto tcp from ($ext_if) to port smtp
>
>
> LOGS:
>
> yeaguy#  nslookup  a214.amber.fastwebserver.de
> Server:         10.1.1.1
> Address:        10.1.1.1#53
>
> Non-authoritative answer:
> Name:   a214.amber.fastwebserver.de
> Address: 217.79.189.214
>
> yeaguy# tcpdump -n -e -ttt -r /var/log/pflog | grep 217.79.189.214
> reading from file /var/log/pflog, link-type PFLOG (OpenBSD pflog file)
> yeaguy#
>
>
> Thanks,
>
> Justin
> _______________________________________________
> freebsd-questions@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "
> freebsd-questions-unsubscribe@freebsd.org"
>


even if it is do you really need to leave ssh accessible to the whole world
or can you not lock it down with acls, eg explicity block all ssh attempts
apart from those in table ssh say?

---

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?AANLkTimE8GP6YzzfVgKHAfsvAUAVNa=LBfCC9v6Ovdf9>

Legal Notices | © 1995-2024 The FreeBSD Project. All rights reserved.

Contact