preventing ssh brute force attacks, swatch and users and table

Dave dmehler26 at woh.rr.com
Tue Apr 24 18:00:31 UTC 2007 

Hello,
    I've got a machine running ssh and i'm trying to cut down on brute force 
attacks on it. I'm running pf on a freebsd 6.2 box and have added in swatch 
to try to curve these attacks. The problem is nothing is being added to 
either the memory hackers table nor the ondisk copy of it. I know i'm 
getting hits because i'm seeing entries in my auth.log like this:

Apr 21 06:18:38 zeus sshd[10609]: Did not receive identification string from 
125.33.163.188
Apr 21 06:22:55 zeus sshd[10658]: User root from 125.33.163.188 not allowed 
because none of user's groups are listed in AllowGroups
Apr 21 06:22:55 zeus sshd[10658]: Failed password for invalid user root from 
125.33.163.188 port 54521 ssh2
Apr 21 06:22:57 zeus sshd[10660]: User root from 125.33.163.188 not allowed 
because none of user's groups are listed in AllowGroups
Apr 21 06:22:57 zeus sshd[10660]: Failed password for invalid user root from 
125.33.163.188 port 54727 ssh2
Apr 24 00:52:08 zeus sshd[7746]: Failed password for invalid user root from 
218.205.231.39 port 61694 ssh2
Apr 24 00:52:11 zeus sshd[7749]: User root from 218.205.231.39 not allowed 
because none of user's groups are listed in AllowGroups
Apr 24 00:52:11 zeus sshd[7749]: Failed password for invalid user root from 
218.205.231.39 port 61773 ssh2

I don't want to move my ssh, i feel these bots would just find it again. I'm 
also getting postfix atempts i'd like to block them both. My swatch 
configuration looks like this:

rc.conf
swatch_enable="YES"
swatch_rules="1"
swatch_1_flags="--config-file=/usr/local/etc/swatchrc --tail-file=/var/log/auth.log 
 --daemon --pid-file=/var/run/swatch.pid"
swatch_1_user="root"
swatch_1_chdir="/var/tmp"
 swatch_1_pidfile="/var/run/swatch.pid"

In pf i have a block by default policy and i've got these lines:
table <hackers> persist file "/etc/hackers"
block all
block in quick on $ext_if from <hackers> to any

and /usr/local/etc/swatchrc calls a script that looks like:
#!/bin/sh
/sbin/pfctl -t hackers -T add $1
/bin/echo $1 >> /etc/hackers
/usr/bin/logger swatch: $1 caught with bad login. Added to hackers pf table

If there's a better way that i can get both ssh and smtp bots i'd like to 
know about it, also if my config is wrong let me know it's not working. One 
thing, i do not want to unblock atempted hackings, my feeling is those that 
do it should have no further interactions with my machines on any level.
Thanks.
Dave.

More information about the freebsd-pf mailing list