Quoting Dave <[EMAIL PROTECTED]>:
Hello,
I've got a machine running ssh and i'm trying to cut down on brute
force attacks on it. I'm running pf on a freebsd 6.2 box and have
added in swatch to try to curve these attacks. The problem is nothing
is being added to either the memory hackers table nor the ondisk copy
of it. I know i'm getting hits because i'm seeing entries in my
auth.log like this:
Apr 21 06:18:38 zeus sshd[10609]: Did not receive identification
string from 125.33.163.188
Apr 21 06:22:55 zeus sshd[10658]: User root from 125.33.163.188 not
allowed because none of user's groups are listed in AllowGroups
Apr 21 06:22:55 zeus sshd[10658]: Failed password for invalid user
root from 125.33.163.188 port 54521 ssh2
Apr 21 06:22:57 zeus sshd[10660]: User root from 125.33.163.188 not
allowed because none of user's groups are listed in AllowGroups
Apr 21 06:22:57 zeus sshd[10660]: Failed password for invalid user
root from 125.33.163.188 port 54727 ssh2
Apr 24 00:52:08 zeus sshd[7746]: Failed password for invalid user
root from 218.205.231.39 port 61694 ssh2
Apr 24 00:52:11 zeus sshd[7749]: User root from 218.205.231.39 not
allowed because none of user's groups are listed in AllowGroups
Apr 24 00:52:11 zeus sshd[7749]: Failed password for invalid user
root from 218.205.231.39 port 61773 ssh2
I don't want to move my ssh, i feel these bots would just find it
again. I'm also getting postfix atempts i'd like to block them both.
My swatch configuration looks like this:
rc.conf
swatch_enable="YES"
swatch_rules="1"
swatch_1_flags="--config-file=/usr/local/etc/swatchrc
--tail-file=/var/log/auth.log --daemon --pid-file=/var/run/swatch.pid"
swatch_1_user="root"
swatch_1_chdir="/var/tmp"
swatch_1_pidfile="/var/run/swatch.pid"
In pf i have a block by default policy and i've got these lines:
table <hackers> persist file "/etc/hackers"
block all
block in quick on $ext_if from <hackers> to any
and /usr/local/etc/swatchrc calls a script that looks like:
#!/bin/sh
/sbin/pfctl -t hackers -T add $1
/bin/echo $1 >> /etc/hackers
/usr/bin/logger swatch: $1 caught with bad login. Added to hackers pf table
If there's a better way that i can get both ssh and smtp bots i'd
like to know about it, also if my config is wrong let me know it's
not working. One thing, i do not want to unblock atempted hackings,
Greetings,
You /may/ want to re-consider this policy. I was plagued with dictionary/
brute force attempts against a couple of my mail servers. Which spurned
me into concocting some method to ease the burden and ultimately defeat
such attempts. My final solution was a combination of scripts (grep ||
sed || awk || uniq || sort ) run out of cron. That parse the maillog
for patterns that match offenders. It works perfectly (over 7,700 IP's).
BUT, you should consider, as I did, that many of the offending IP's are
leased (DHCP) and are only owned/used by the perpetrator for a relatively
short amount time, and then they become available and used by a now
INNOCENT user. Also, there are those who /do/ own/lease the IP's on
a longer term basis that have mis-configured boxen which are effectively
open proxies that are later corrected. So they too are only guilty
by proxy (sorry, I couldn't resist ;)). Anyway, the point I'm attempting
to make here; is that you should probably consider developing an
EXPIRE policy for the offending/accumulating IP list. That way, you'll
be able to DIFF the current against the EXPIRED and gain a more reasonable
understanding /which/ IP's are /always/ going to be offenders vs. those
whom were just short term (for whatever reason).
Just thought I'd mention it.
Best wishes.
my feeling is those that do it should have no further interactions
with my machines on any level.
Thanks.
Dave.
_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
--
panic: kernel trap (ignored)
_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
