Strange. It's working for me - I've just tested my own setup again and
it blocks me. Although the file logging isn't working though - not sure
why that is...
Can you confirm that your pf rules have the block line in before the
permit rule and that it's correct for your firewall rules - ie. no other
rule is overriding it and that you're testing it on the interface the
rule is on - ie the external interface.
You could change your permit ssh line to be something like this:
pass in log quick inet proto tcp from !<sshdtrolls> to $EXT_IF port
22 modulate state label "ssh in" flags S/SA
Change that line for whatever suits your rules - it's just an example of
the !<sshdtrolls> bit. You probably don't even need the block rule in
with this.
Also check the IP address in the table with pfctl -t sshdtrolls -T show
and make sure it's correct.
The reason I think it's a firewall rule is that you said it said 1/1
address added which means that it's picking it up from the logs and
adding it to the table - the only other place it can go wrong is in the
block rule.
Let me know how you get on.
Cheers - Nick
Rico wrote:
Dear Nick
I have tried your setup below. I too have the setup and file placement
as you, but I am not using keys.
When I try to log on as an illegal user, the atempt is logged by
authlog, and having swatch runing from the console it says:
1/1 addresses added.
I am using this 'table <sshdtrolls> persist file "/root/pf/sshdhackers"'
I don't get any entries in the sshdhackers file and I don't get
blocked from the system.
I also use AllowUsers
Would you mind explaining a bit more about your setup?
Friendly
Rico.
Nick Ryan wrote:
What you could also do is install swatch from ports or packages and
have a table in your pf.conf like this:
table <sshdtrolls> persist
and a rule
#stop ssh trolls
block in log quick on $EXT_IF inet proto {tcp,udp} from <sshdtrolls>
to $EXT_IF port ssh label "SSHDTrolls"
A swatchrc file of:
watchfor /Failed password for invalid user/
exec /sbin/pfctl -t sshdtrolls -T add $13
[EMAIL PROTECTED], --subject=woo. we have a troll
throttle 02:00
exec echo $13 >> /root/swatchlog
Then run swatch with:
/usr/local/bin/swatch -c /root/swatchrc -t /var/log/authlog &
(Note file locations and settings might need to be changed depending
on your config)
I also have the AllowUsers and use PubKeyAuthentication and
PasswordAuthentication No settings enabled in sshd_config. This means
that for a normal login the error "Failed password for invalid user"
won't come up as it'll never get that far as it's expecting a key.
If a troll tries to log in, they get one chance before the swatch
picks it up and adds it to the block table.
.
