Hi Nick
Nick Ryan wrote:
Strange. It's working for me - I've just tested my own setup again and
it blocks me. Although the file logging isn't working though - not sure
why that is...
This, I think, is the interresting part because I want that very log
file to be the "blacklist" file and then to have Swatch make pf grap
that file.
That way each time there is an "Illegal user" the log file is extended
with the IP and pf add's that IP to the block rule.
I will try to work on this before working more on the missing block part :-)
Thanks for your reply!
Kindly
Rico.
Can you confirm that your pf rules have the block line in before the
permit rule and that it's correct for your firewall rules - ie. no other
rule is overriding it and that you're testing it on the interface the
rule is on - ie the external interface.
You could change your permit ssh line to be something like this:
pass in log quick inet proto tcp from !<sshdtrolls> to $EXT_IF port
22 modulate state label "ssh in" flags S/SA
Change that line for whatever suits your rules - it's just an example of
the !<sshdtrolls> bit. You probably don't even need the block rule in
with this.
Also check the IP address in the table with pfctl -t sshdtrolls -T show
and make sure it's correct.
The reason I think it's a firewall rule is that you said it said 1/1
address added which means that it's picking it up from the logs and
adding it to the table - the only other place it can go wrong is in the
block rule.
Let me know how you get on.
Cheers - Nick
Rico wrote:
Dear Nick
I have tried your setup below. I too have the setup and file placement
as you, but I am not using keys.
When I try to log on as an illegal user, the atempt is logged by
authlog, and having swatch runing from the console it says:
1/1 addresses added.
I am using this 'table <sshdtrolls> persist file "/root/pf/sshdhackers"'
I don't get any entries in the sshdhackers file and I don't get
blocked from the system.
I also use AllowUsers
Would you mind explaining a bit more about your setup?
Friendly
Rico.
Nick Ryan wrote:
What you could also do is install swatch from ports or packages and
have a table in your pf.conf like this:
table <sshdtrolls> persist
and a rule
#stop ssh trolls
block in log quick on $EXT_IF inet proto {tcp,udp} from <sshdtrolls>
to $EXT_IF port ssh label "SSHDTrolls"
A swatchrc file of:
watchfor /Failed password for invalid user/
exec /sbin/pfctl -t sshdtrolls -T add $13
[EMAIL PROTECTED], --subject=woo. we have a troll
throttle 02:00
exec echo $13 >> /root/swatchlog
Then run swatch with:
/usr/local/bin/swatch -c /root/swatchrc -t /var/log/authlog &
(Note file locations and settings might need to be changed depending
on your config)
I also have the AllowUsers and use PubKeyAuthentication and
PasswordAuthentication No settings enabled in sshd_config. This means
that for a normal login the error "Failed password for invalid user"
won't come up as it'll never get that far as it's expecting a key.
If a troll tries to log in, they get one chance before the swatch
picks it up and adds it to the block table.
.
.
