Please, don't use grok for that! From what I saw it is vulnerable to very simple log injection attacks (you need much more string regexes):
http://www.ossec.net/en/attacking-loganalysis.html Be very careful when parsing logs for automated remediation... Thanks, -- Daniel B. Cid dcid ( at ) ossec.net --- Rob <[EMAIL PROTECTED]> escreveu: > Although this doesn't answer your actual pf > question, you might try > using a tool called Grok > (http://www.semicomplete.com/projects/grok/). > It's a pretty decent log watcher written in Perl, > designed to do > exactly this sort of thing. You define matches and > reactions in its > config file (match = "Illegal user %USERNAME% from > %IP%"; reaction = > "pfctl -t scanners -T add %IP%";). > > It does have a few quirks though. We've encountered > problems with > having multiple rules watching the same log. But, > all in all, probably > a better way to do what it looks like you want to > do. > > - R. > > On 8/8/07, David Newman <[EMAIL PROTECTED]> > wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > > > > On 6/27/07 10:39 PM, Daniel Ouellet wrote: > > > Steve B wrote: > > >> The rule I've had in my pf.conf file to catch > and block forceful SSH > > >> attempts no longer appears to be working. I see > the entries in my > > >> authlog, > > >> but the IPs are no longer getting added to my > table. I suspect I screwed > > >> something up, but so far I am at a loss to see > where. Could someone pass > > >> another set of eyes over the relevant parts of > my pf.conf? > > > > > > Put quickly as an example, but you can try: > > > > > > # Define some variable for clarity > > > SSH_LIMIT="(max-src-conn-rate 3/30, overload > <scanners> flush global)" > > > > > > ## SSH Hackers - blocked IPs > > > table <scanners> persist file > "/etc/tables/scanners" > > > > > > # Block ssh access to bad ssh scanner > > > block drop in log quick on $ext_if inet proto > tcp \ > > > from <scanners> to any port ssh > > > > > > # Allow quick valid traffic to ssh but log all > attempts as well > > > pass in log quick on $ext_if inet proto tcp from > ! <scanners> \ > > > to $ext_if port ssh flags S/SA keep state \ > > > $SSH_LIMIT > > > > > > > I've added something like this to pf.conf but it's > only partially > > successful. I would appreciate any clues as to why > it's not blocking all > > brute-force attempts. > > > > On an OBSD 4.1 box, here's what I added to pf.conf > ($unpro is the > > Internet-facing interface): > > > > ##### > > > > # Define limit of ssh connection rates > > SSH_LIMIT="(max-src-conn-rate 3/30, overload > <scanners> flush global)" > > # SSH scanners - blocked IPs > > table <scanners> persist > > > > block drop in log quick on $unpro inet proto tcp \ > > from <scanners> to any port ssh > > > > > > # Allow quick valid traffic to ssh but log all > attempts as well > > pass in log quick on $unpro inet proto tcp from ! > <scanners> \ > > to $unpro port ssh $SSH_LIMIT > > > > ##### > > > > And it appears to be working, at least in part: > > > > [EMAIL PROTECTED] ~ 501$ sudo pfctl -t scanners -T show > > 61.146.178.13 > > 61.189.145.103 > > 67.76.237.190 > > 161.200.144.108 > > 193.254.31.194 > > > > ##### > > > > But some hosts on the protected side of the > firewall still report > > brute-force ssh login attempts exceeding the 3/30 > rate: > > > > Aug 7 10:16:00 mail sshd[21608]: Invalid user > trash from 201.18.81.8 > > Aug 7 10:16:08 mail sshd[21610]: Invalid user > aaron from 201.18.81.8 > > Aug 7 10:16:11 mail sshd[21612]: Invalid user > gt05 from 201.18.81.8 > > Aug 7 10:16:18 mail sshd[21614]: Invalid user > william from 201.18.81.8 > > Aug 7 10:16:22 mail sshd[21616]: Invalid user > stephanie from 201.18.81.8 > > Aug 7 10:16:59 mail sshd[21628]: Invalid user > gary from 201.18.81.8 > > Aug 7 10:17:07 mail sshd[21632]: Invalid user > guest from 201.18.81.8 > > Aug 7 10:17:11 mail sshd[21634]: Invalid user > test from 201.18.81.8 > > Aug 7 10:17:17 mail sshd[21636]: Invalid user > oracle from 201.18.81.8 > > Aug 7 10:19:24 mail sshd[21717]: Invalid user > apache from 201.18.81.8 > > Aug 7 10:19:43 mail sshd[21723]: Invalid user lab > from 201.18.81.8 > > Aug 7 10:19:55 mail sshd[21729]: Invalid user > oracle from 201.18.81.8 > > Aug 7 10:20:00 mail sshd[21736]: Invalid user svn > from 201.18.81.8 > > Aug 7 10:20:06 mail sshd[21745]: Invalid user > iraf from 201.18.81.8 > > Aug 7 10:20:13 mail sshd[21747]: Invalid user > swsoft from 201.18.81.8 > > Aug 7 10:20:18 mail sshd[21749]: Invalid user > production from 201.18.81.8 > > Aug 7 10:20:23 mail sshd[21751]: Invalid user > guest from 201.18.81.8 > > Aug 7 10:20:28 mail sshd[21753]: Invalid user > gast from 201.18.81.8 > > Aug 7 10:20:34 mail sshd[21755]: Invalid user > gast from 201.18.81.8 > > Aug 7 10:20:40 mail sshd[21762]: Invalid user > oliver from 201.18.81.8 > > Aug 7 10:20:45 mail sshd[21767]: Invalid user > sirsi from 201.18.81.8 > > Aug 7 10:20:50 mail sshd[21769]: Invalid user > nagios from 201.18.81.8 > > Aug 7 10:20:55 mail sshd[21771]: Invalid user > nagios from 201.18.81.8 > > Aug 7 10:20:59 mail sshd[21773]: Invalid user > nagios from 201.18.81.8 > > > > Thanks in advance for suggestions as to how to > reduce these kind of > > login attempts. > > > > dn > > > iD8DBQFGufyzyPxGVjntI4IRAty2AJ9WDCqLqkWyhx/KuciGINow6Upb5wCfUuP+ > > GfZ8lnaun1QPItnFK5c4MNU= > > =tjbD > > -----END PGP SIGNATURE----- > > Alertas do Yahoo! Mail em seu celular. Saiba mais em http://br.mobile.yahoo.com/mailalertas/
