I just had to reply with this info because I already had an attempted brute force in the last hour. All you need to do is make your rule tighter and add a connection rate ratio to start collecting IP's.
( I use logsentry/logcheck) Security Violations =-=-=-=-=-=-=-=-=-= Aug 8 11:48:16 traci sshd[1099]: Failed password for invalid user root from 72.11.128.61 port 42049 ssh2 Aug 8 11:48:17 traci sshd[25952]: Failed password for invalid user root from 72.11.128.61 port 42104 ssh2 Aug 8 11:48:18 traci sshd[2543]: Failed password for invalid user root from 72.11.128.61 port 42149 ssh2 Aug 8 11:48:19 traci sshd[14785]: Failed password for invalid user root from 72.11.128.61 port 42193 ssh2 Aug 8 11:48:20 traci sshd[75]: Failed password for invalid user root from 72.11.128.61 port 42242 ssh2 Unusual System Events =-=-=-=-=-=-=-=-=-=-= Aug 8 11:48:16 traci sshd[1099]: User root from 72.11.128.61 not allowed because not listed in AllowUsers Aug 8 11:48:16 traci sshd[28065]: input_userauth_request: invalid user root Aug 8 11:48:16 traci sshd[1099]: Failed password for invalid user root from 72.11.128.61 port 42049 ssh2 Aug 8 11:48:16 traci sshd[28065]: Received disconnect from 72.11.128.61: 11: Bye Bye Aug 8 11:48:17 traci sshd[25952]: User root from 72.11.128.61 not allowed because not listed in AllowUsers Aug 8 11:48:17 traci sshd[4408]: input_userauth_request: invalid user root Aug 8 11:48:17 traci sshd[25952]: Failed password for invalid user root from 72.11.128.61 port 42104 ssh2 Aug 8 11:48:17 traci sshd[4408]: Received disconnect from 72.11.128.61: 11: Bye Bye Aug 8 11:48:18 traci sshd[2543]: User root from 72.11.128.61 not allowed because not listed in AllowUsers Aug 8 11:48:18 traci sshd[23885]: input_userauth_request: invalid user root Aug 8 11:48:18 traci sshd[2543]: Failed password for invalid user root from 72.11.128.61 port 42149 ssh2 Aug 8 11:48:18 traci sshd[23885]: Received disconnect from 72.11.128.61: 11: Bye Bye Aug 8 11:48:19 traci sshd[14785]: User root from 72.11.128.61 not allowed because not listed in AllowUsers Aug 8 11:48:19 traci sshd[22134]: input_userauth_request: invalid user root Aug 8 11:48:19 traci sshd[14785]: Failed password for invalid user root from 72.11.128.61 port 42193 ssh2 Aug 8 11:48:19 traci sshd[22134]: Received disconnect from 72.11.128.61: 11: Bye Bye Aug 8 11:48:20 traci sshd[75]: User root from 72.11.128.61 not allowed because not listed in AllowUsers Aug 8 11:48:20 traci sshd[12103]: input_userauth_request: invalid user root Aug 8 11:48:20 traci sshd[75]: Failed password for invalid user root from 72.11.128.61 port 42242 ssh2 Aug 8 11:48:20 traci sshd[12103]: Received disconnect from 72.11.128.61: 11: Bye Bye pfctl -t DoS_hosts -T show -v 72.11.128.61 Cleared: Wed Aug 8 11:48:20 2007 In/Block: [ Packets: 6 Bytes: 240 ] In/Pass: [ Packets: 0 Bytes: 0 ] Out/Block: [ Packets: 0 Bytes: 0 ] Out/Pass: [ Packets: 0 Bytes: 0 ] -- ~Allie D. On Wed, August 8, 2007 10:26, David Newman wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 6/27/07 10:39 PM, Daniel Ouellet wrote: >> Steve B wrote: >>> The rule I've had in my pf.conf file to catch and block forceful SSH >>> attempts no longer appears to be working. I see the entries in my >>> authlog, >>> but the IPs are no longer getting added to my table. I suspect I >>> screwed >>> something up, but so far I am at a loss to see where. Could someone >>> pass >>> another set of eyes over the relevant parts of my pf.conf? >> >> Put quickly as an example, but you can try: >> >> # Define some variable for clarity >> SSH_LIMIT="(max-src-conn-rate 3/30, overload <scanners> flush global)" >> >> ## SSH Hackers - blocked IPs >> table <scanners> persist file "/etc/tables/scanners" >> >> # Block ssh access to bad ssh scanner >> block drop in log quick on $ext_if inet proto tcp \ >> from <scanners> to any port ssh >> >> # Allow quick valid traffic to ssh but log all attempts as well >> pass in log quick on $ext_if inet proto tcp from ! <scanners> \ >> to $ext_if port ssh flags S/SA keep state \ >> $SSH_LIMIT >> > > I've added something like this to pf.conf but it's only partially > successful. I would appreciate any clues as to why it's not blocking all > brute-force attempts. > > On an OBSD 4.1 box, here's what I added to pf.conf ($unpro is the > Internet-facing interface): > > ##### > > # Define limit of ssh connection rates > SSH_LIMIT="(max-src-conn-rate 3/30, overload <scanners> flush global)" > # SSH scanners - blocked IPs > table <scanners> persist > > block drop in log quick on $unpro inet proto tcp \ > from <scanners> to any port ssh > > > # Allow quick valid traffic to ssh but log all attempts as well > pass in log quick on $unpro inet proto tcp from ! <scanners> \ > to $unpro port ssh $SSH_LIMIT > > ##### > > And it appears to be working, at least in part: > > [EMAIL PROTECTED] ~ 501$ sudo pfctl -t scanners -T show > 61.146.178.13 > 61.189.145.103 > 67.76.237.190 > 161.200.144.108 > 193.254.31.194 > > ##### > > But some hosts on the protected side of the firewall still report > brute-force ssh login attempts exceeding the 3/30 rate: > > Aug 7 10:16:00 mail sshd[21608]: Invalid user trash from 201.18.81.8 > Aug 7 10:16:08 mail sshd[21610]: Invalid user aaron from 201.18.81.8 > Aug 7 10:16:11 mail sshd[21612]: Invalid user gt05 from 201.18.81.8 > Aug 7 10:16:18 mail sshd[21614]: Invalid user william from 201.18.81.8 > Aug 7 10:16:22 mail sshd[21616]: Invalid user stephanie from 201.18.81.8 > Aug 7 10:16:59 mail sshd[21628]: Invalid user gary from 201.18.81.8 > Aug 7 10:17:07 mail sshd[21632]: Invalid user guest from 201.18.81.8 > Aug 7 10:17:11 mail sshd[21634]: Invalid user test from 201.18.81.8 > Aug 7 10:17:17 mail sshd[21636]: Invalid user oracle from 201.18.81.8 > Aug 7 10:19:24 mail sshd[21717]: Invalid user apache from 201.18.81.8 > Aug 7 10:19:43 mail sshd[21723]: Invalid user lab from 201.18.81.8 > Aug 7 10:19:55 mail sshd[21729]: Invalid user oracle from 201.18.81.8 > Aug 7 10:20:00 mail sshd[21736]: Invalid user svn from 201.18.81.8 > Aug 7 10:20:06 mail sshd[21745]: Invalid user iraf from 201.18.81.8 > Aug 7 10:20:13 mail sshd[21747]: Invalid user swsoft from 201.18.81.8 > Aug 7 10:20:18 mail sshd[21749]: Invalid user production from 201.18.81.8 > Aug 7 10:20:23 mail sshd[21751]: Invalid user guest from 201.18.81.8 > Aug 7 10:20:28 mail sshd[21753]: Invalid user gast from 201.18.81.8 > Aug 7 10:20:34 mail sshd[21755]: Invalid user gast from 201.18.81.8 > Aug 7 10:20:40 mail sshd[21762]: Invalid user oliver from 201.18.81.8 > Aug 7 10:20:45 mail sshd[21767]: Invalid user sirsi from 201.18.81.8 > Aug 7 10:20:50 mail sshd[21769]: Invalid user nagios from 201.18.81.8 > Aug 7 10:20:55 mail sshd[21771]: Invalid user nagios from 201.18.81.8 > Aug 7 10:20:59 mail sshd[21773]: Invalid user nagios from 201.18.81.8 > > Thanks in advance for suggestions as to how to reduce these kind of > login attempts. > > dn > iD8DBQFGufyzyPxGVjntI4IRAty2AJ9WDCqLqkWyhx/KuciGINow6Upb5wCfUuP+ > GfZ8lnaun1QPItnFK5c4MNU= > =tjbD > -----END PGP SIGNATURE-----