I have some rules in my pf.conf for ssh brute force where it should
block and log the offending IP address in /etc/bruteforce file. I also
told syslog to log all ssh logging in /var/log/sshd. I can see some
failed login in /var/log/sshd but my /etc/bruteforce file is still
empty. Here's my pf.conf -
ext_if = "fxp0"
tcp_services = "{80, 443, 123}"
udp_services = "{123}"
icmp_services = "{echo_req}"
set block-policy drop
set loginterface $ext_if
scrub in all fragment reassemble
scrub out all random-id fragment reassemble
block all
pass quick on lo0 all
pass out quick on lo0 all
table <bruteforce> persist file "/etc/bruteforce"
block quick from <bruteforce>
antispoof log for { lo0, $ext_if }
block drop in quick log on $ext_if inet6 all
pass in log on $ext_if inet proto tcp from any to ($ext_if) port
$tcp_services flags S/SA keep state
pass in on $ext_if inet proto tcp from any to ($ext_if) port $udp_services
pass inet proto tcp from any to any port ssh \
flags S/SA keep state \
(max-src-conn 10, max-src-conn-rate 5/3, \
overload <bruteforce> flush global)
pass out log on $ext_if inet proto tcp from any to any port $tcp_services
block drop in quick on $ext_if from any to {255.255.255.255, 192.168.25.255}
block drop out quick on $ext_if inet proto icmp from any to {192.168.25.1}
block quick from any os NMAP
pass out log on $ext_if proto { tcp, udp, icmp } all keep state
block drop out quick log on $ext_if inet proto tcp from any to port 22
Here's what I can see on my /var/log/sshd -
Invalid user test from xxx.xx.xx.xx
input_userauth_request: invalid user test
Failed password for invalid user test from xxx.xx.xx.xx port 43734 ssh2
Is there anything I am doing wrong in my pf.conf? Thanks for any help.
