Quoting Dave <[EMAIL PROTECTED]>:
Hello,
I've got a machine running ssh and i'm trying to cut down on
brute force attacks on it. I'm running pf on a freebsd 6.2 box and
have added in swatch to try to curve these attacks. The problem is
nothing is being added to either the memory hackers table nor the
ondisk copy of it. I know i'm getting hits because i'm seeing
entries in my auth.log like this:
Apr 21 06:18:38 zeus sshd[10609]: Did not receive identification
string from 125.33.163.188
Apr 21 06:22:55 zeus sshd[10658]: User root from 125.33.163.188 not
allowed because none of user's groups are listed in AllowGroups
Apr 21 06:22:55 zeus sshd[10658]: Failed password for invalid user
root from 125.33.163.188 port 54521 ssh2
Apr 21 06:22:57 zeus sshd[10660]: User root from 125.33.163.188 not
allowed because none of user's groups are listed in AllowGroups
Apr 21 06:22:57 zeus sshd[10660]: Failed password for invalid user
root from 125.33.163.188 port 54727 ssh2
Apr 24 00:52:08 zeus sshd[7746]: Failed password for invalid user
root from 218.205.231.39 port 61694 ssh2
Apr 24 00:52:11 zeus sshd[7749]: User root from 218.205.231.39 not
allowed because none of user's groups are listed in AllowGroups
Apr 24 00:52:11 zeus sshd[7749]: Failed password for invalid user
root from 218.205.231.39 port 61773 ssh2
I don't want to move my ssh, i feel these bots would just find it
again. I'm also getting postfix atempts i'd like to block them both.
My swatch configuration looks like this:
rc.conf
swatch_enable="YES"
swatch_rules="1"
swatch_1_flags="--config-file=/usr/local/etc/swatchrc
--tail-file=/var/log/auth.log --daemon --pid-file=/var/run/swatch.pid"
swatch_1_user="root"
swatch_1_chdir="/var/tmp"
swatch_1_pidfile="/var/run/swatch.pid"
In pf i have a block by default policy and i've got these lines:
table <hackers> persist file "/etc/hackers"
block all
block in quick on $ext_if from <hackers> to any
and /usr/local/etc/swatchrc calls a script that looks like:
#!/bin/sh
/sbin/pfctl -t hackers -T add $1
/bin/echo $1 >> /etc/hackers
/usr/bin/logger swatch: $1 caught with bad login. Added to hackers pf table
If there's a better way that i can get both ssh and smtp bots i'd
like to know about it, also if my config is wrong let me know it's
not working. One thing, i do not want to unblock atempted hackings,
my feeling is those that do it should have no further interactions
with my machines on any level.
I'm pretty sure that I don't have a better way, in fact that is why
I'm posting it ;) but it seems to work.
My rules are basically:
block drop in quick on $ext_if from <ssh-bruteforce> to any
block drop in quick on $ext_if from <blocksmtp> to any
pass in quick on $ext_if inet proto tcp from any to ($ext_if) port
smtp flags S/SA keep state \
( max-src-conn 70, max-src-conn-rate 70/90, overload <blocksmtp>
flush global )
pass in quick on $ext_if inet proto tcp from any to ($ext_if) port
$ssh_services flags S/SA keep state \
( max-src-conn-rate 3/30, overload <ssh-bruteforce> flush global )
The connections and rates took me a couple of week to not block legit
smtp but it seems to be ok for my installation now.
I'm not sure if the quick is good or bad but it was faster ;)
Maybe this will give you another perspective, from someone less knowledgeable.
I also run expiretable to leave the ip's in for 24 hours and I get few
repeats. I've thought about not doing that but . . . . .
Good luck,
ed
Thanks.
Dave.
_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
