bruteforce not restarting pf?

Dave Tue, 08 Nov 2005 09:10:31 -0800

Hello,

I've got a machine running 5.4, offering ssh services and runningbruteforce. In my daily security log emails i am seeing entries like:

Nov 7 07:06:55 zeus sshd[24747]: Failed password for illegal user miha from163.13.111.172 port 56265 ssh2Nov 7 07:06:58 zeus sshd[24749]: Failed password for illegal user miha from163.13.111.172 port 56319 ssh2Nov 7 07:07:01 zeus sshd[24751]: Failed password for root from163.13.111.172 port 56376 ssh2Nov 7 07:07:03 zeus sshd[24753]: Failed password for root from163.13.111.172 port 56418 ssh2Nov 7 07:07:05 zeus sshd[24757]: Failed password for illegal user simonfrom 163.13.111.172 port 56461 ssh2Nov 7 07:07:08 zeus sshd[24759]: Failed password for illegal user simonfrom 163.13.111.172 port 56504 ssh2Nov 7 07:07:10 zeus sshd[24761]: Failed password for root from163.13.111.172 port 56543 ssh2Nov 7 07:07:12 zeus sshd[24763]: Failed password for root from163.13.111.172 port 56589

...

I know these are automated atempts at entry but i thought bruteforce wassuppose to stop these. In my auth.log i do see the IP being added, butconnections are still allowed. Here's the snipet:

Nov 7 06:54:52 zeus sshd[24687]: fatal: Timeout before authentication for163.13.111.172

Nov  7 07:06:55 zeus sshd[24747]: Illegal user miha from 163.13.111.172

Nov 7 07:06:55 zeus sshd[24747]: Failed password for illegal user miha from163.13.111.172 port 56265 ssh2

163.13.111.172 was logged with total count of 1.
Nov  7 07:06:58 zeus sshd[24749]: Illegal user miha from 163.13.111.172

Nov 7 07:06:58 zeus sshd[24749]: Failed password for illegal user miha from163.13.111.172 port 56319 ssh2

163.13.111.172 was logged with total count of 2.

Nov 7 07:07:01 zeus sshd[24751]: Failed password for root from163.13.111.172 port 56376 ssh2

163.13.111.172 was logged with total count of 3.

Nov 7 07:07:03 zeus sshd[24753]: Failed password for root from163.13.111.172 port 56418 ssh2

IP 163.13.111.172 reached the maximum number of failed attempts!!!
Adding IP to the firewall...
Nov  7 07:07:05 zeus sshd[24757]: Illegal user simon from 163.13.111.172

Nov 7 07:07:05 zeus sshd[24757]: Failed password for illegal user simonfrom 163.13.111.172 port 56461 ssh2

Nov  7 07:07:08 zeus sshd[24759]: Illegal user simon from 163.13.111.172

Nov 7 07:07:08 zeus sshd[24759]: Failed password for illegal user simonfrom 163.13.111.172 port 56504 ssh2Nov 7 07:07:10 zeus sshd[24761]: Failed password for root from163.13.111.172 port 56543 ssh2

Checking my bruteforce table ;i see 163.13.111.172/32 in it, so it wasadded, but i don't get why future connections were permitted unless pf wasnot restarted or informed about the updated table. In my pf.conf file ihave:


table <bruteforce> persist file "/etc/bruteforce"
set block-policy drop

block in log quick on $ext_if inet proto tcp from <bruteforce> to any portssh


Any help appreciated.
Thanks.
Dave.

_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

bruteforce not restarting pf?

Reply via email to