Re: SSH brute force attacks no longer being caught by PF rule

[Marc Balmer]

Allie D. wrote:
I just had to reply with this info because I already had an attempted
brute force in the last hour. All you need to do is make your rule tighter
and add a connection rate ratio to start collecting IP's.

we use pf os fingerprinting to only allow ssh connections from openbsd 
hosts.  that pretty much solves the problem...

( I use logsentry/logcheck)
Security Violations
=-=-=-=-=-=-=-=-=-=
Aug  8 11:48:16 traci sshd[1099]: Failed password for invalid user root from
72.11.128.61 port 42049 ssh2
Aug  8 11:48:17 traci sshd[25952]: Failed password for invalid user root from
72.11.128.61 port 42104 ssh2
Aug  8 11:48:18 traci sshd[2543]: Failed password for invalid user root from
72.11.128.61 port 42149 ssh2
Aug  8 11:48:19 traci sshd[14785]: Failed password for invalid user root from
72.11.128.61 port 42193 ssh2
Aug  8 11:48:20 traci sshd[75]: Failed password for invalid user root from
72.11.128.61 port 42242 ssh2

Unusual System Events
=-=-=-=-=-=-=-=-=-=-=
Aug  8 11:48:16 traci sshd[1099]: User root from 72.11.128.61 not allowed
because
not listed in AllowUsers
Aug  8 11:48:16 traci sshd[28065]: input_userauth_request: invalid user root
Aug  8 11:48:16 traci sshd[1099]: Failed password for invalid user root from
72.11.128.61 port 42049 ssh2
Aug  8 11:48:16 traci sshd[28065]: Received disconnect from 72.11.128.61:
11: Bye Bye
Aug  8 11:48:17 traci sshd[25952]: User root from 72.11.128.61 not allowed
because
not listed in AllowUsers
Aug  8 11:48:17 traci sshd[4408]: input_userauth_request: invalid user root
Aug  8 11:48:17 traci sshd[25952]: Failed password for invalid user root from
72.11.128.61 port 42104 ssh2
Aug  8 11:48:17 traci sshd[4408]: Received disconnect from 72.11.128.61:
11: Bye Bye
Aug  8 11:48:18 traci sshd[2543]: User root from 72.11.128.61 not allowed
because
not listed in AllowUsers
Aug  8 11:48:18 traci sshd[23885]: input_userauth_request: invalid user root
Aug  8 11:48:18 traci sshd[2543]: Failed password for invalid user root from
72.11.128.61 port 42149 ssh2
Aug  8 11:48:18 traci sshd[23885]: Received disconnect from 72.11.128.61:
11: Bye Bye
Aug  8 11:48:19 traci sshd[14785]: User root from 72.11.128.61 not allowed
because
not listed in AllowUsers
Aug  8 11:48:19 traci sshd[22134]: input_userauth_request: invalid user root
Aug  8 11:48:19 traci sshd[14785]: Failed password for invalid user root from
72.11.128.61 port 42193 ssh2
Aug  8 11:48:19 traci sshd[22134]: Received disconnect from 72.11.128.61:
11: Bye Bye
Aug  8 11:48:20 traci sshd[75]: User root from 72.11.128.61 not allowed
because not
listed in AllowUsers
Aug  8 11:48:20 traci sshd[12103]: input_userauth_request: invalid user root
Aug  8 11:48:20 traci sshd[75]: Failed password for invalid user root from
72.11.128.61 port 42242 ssh2
Aug  8 11:48:20 traci sshd[12103]: Received disconnect from 72.11.128.61:
11: Bye Bye

pfctl -t DoS_hosts -T show -v
   72.11.128.61
        Cleared:     Wed Aug  8 11:48:20 2007
        In/Block:    [ Packets: 6                  Bytes: 240             
  ]
        In/Pass:     [ Packets: 0                  Bytes: 0               
  ]
        Out/Block:   [ Packets: 0                  Bytes: 0               
  ]
        Out/Pass:    [ Packets: 0                  Bytes: 0
]