sshguard pf

Hasse Hansson hasse at thorshammare.org
Sun Nov 2 16:12:47 UTC 2014 

Hello

uname -a
FreeBSD ymer.thorshammare.org 10.1-RC3 FreeBSD 10.1-RC3 #0 r273437: Wed Oct 22 01:27:10 UTC 2014 
root at releng1.nyi.freebsd.org:/usr/obj/usr/src/sys/GENERIC  i386

I have a bit problems to get some bots blocked. I'm running pf and sshguard. Even tried fail2ban
Below is a snippet from my auth.log showing sshguard blocking som IPs, but nor the bot scans.
Both tables abusers and sshguard are empty and allways was.
This junk is filling up my logfiles. 
Any clues what I'm doing wrong or missing ? 

I'm running two crontabs :
# Sshguard
0/1     *       *       *       *       root pfctl -t sshguard -T show >/etc/sshguard 2>/dev/null
#
# Bruteforce ssh
0/2     *       *       *       *       root pfctl -t abusers -T show >/etc/abusers 2>/dev/null


In /etc/ssh/sshd_config I've uncommented :
Port 22
AddressFamily any
Protocol 2
SyslogFacility AUTH
LogLevel INFO

# Authentication:

LoginGraceTime 1m
PermitRootLogin no
StrictModes yes
MaxAuthTries 5
MaxSessions 10

PasswordAuthentication no
PermitEmptyPasswords no
ChallengeResponseAuthentication no

MaxStartups 10:30:100

In my /etc/rc.conf I have :
pf_enable="YES"
pflog_enable="YES"
pflog_logfile="/var/log/pflog"
sshguard_enable="YES"
sshguard_safety_thresh="30"
sshguard_pardon_min_interval="600"
sshguard_prescribe_interval="7200"

In /etc/pf.conf :
ext_if="fxp0"
int_if="xl0"
webports="{ http, https }"

table <abusers> counters persist
table <sshguard> persist

set skip on lo
scrub in

block in
pass out

block quick from <abusers> to any
block drop in log quick on $ext_if inet from <sshguard> to any

pass in on $ext_if proto tcp to any port ssh flags S/SA keep state (max-src-conn 10, max-src-conn-rate 2/120, overload <abusers> flush)

antispoof quick for { lo $ext_if $int_if }

pass in on $ext_if proto tcp to ($ext_if) port ssh
pass in log on $ext_if proto tcp to ($ext_if) port smtp
pass out log on $ext_if proto tcp from ($ext_if) to port smtp
pass in log on $ext_if proto tcp to ($ext_if) port $webports
pass out log on $ext_if proto tcp from ($ext_if) to port $webports

pass in on $ext_if inet proto icmp from any to ($ext_if) icmp-type { unreach, redir, timex }

<snip>
Nov  2 07:51:13 ymer sshguard[19225]: Blocking 103.27.24.106:4 for >900secs: 30 danger in 3 attacks over 18 seconds (all: 30d in 1 abuses over 18s).
Nov  2 10:35:35 ymer sshguard[19225]: Blocking 60.190.71.52:4 for >900secs: 30 danger in 3 attacks over 8 seconds (all: 30d in 1 abuses over 8s).
Nov  2 11:09:50 ymer sshguard[19225]: Blocking 122.225.97.105:4 for >900secs: 30 danger in 3 attacks over 65 seconds (all: 30d in 1 abuses over 65s).
Nov  2 13:10:52 ymer sshguard[19225]: Blocking 50.30.32.19:4 for >900secs: 30 danger in 3 attacks over 4 seconds (all: 30d in 1 abuses over 4s).
Nov  2 14:34:55 ymer sshguard[19225]: Blocking 61.174.51.212:4 for >900secs: 30 danger in 3 attacks over 69 seconds (all: 30d in 1 abuses over 69s).

Nov  2 16:32:09 ymer sshd[42957]: Connection from 202.109.143.110 port 3453 on 192.168.1.2 port 22
Nov  2 16:32:13 ymer sshd[42957]: Disconnecting: Too many authentication failures for root [preauth]
Nov  2 16:32:14 ymer sshd[42959]: Connection from 202.109.143.110 port 2838 on 192.168.1.2 port 22
Nov  2 16:32:17 ymer sshd[42959]: Disconnecting: Too many authentication failures for root [preauth]
Nov  2 16:32:21 ymer sshd[42961]: Connection from 202.109.143.110 port 3611 on 192.168.1.2 port 22
Nov  2 16:32:34 ymer sshd[42961]: Disconnecting: Too many authentication failures for root [preauth]
Nov  2 16:32:41 ymer sshd[42963]: Connection from 202.109.143.110 port 2507 on 192.168.1.2 port 22
Nov  2 16:32:48 ymer sshd[42963]: Disconnecting: Too many authentication failures for root [preauth]
Nov  2 16:32:49 ymer sshd[42965]: Connection from 202.109.143.110 port 4650 on 192.168.1.2 port 22
Nov  2 16:32:52 ymer sshd[42965]: Disconnecting: Too many authentication failures for root [preauth]
Nov  2 16:32:52 ymer sshd[42967]: Connection from 202.109.143.110 port 4650 on 192.168.1.2 port 22
Nov  2 16:33:01 ymer sshd[42967]: Disconnecting: Too many authentication failures for root [preauth]
Nov  2 16:33:02 ymer sshd[42983]: Connection from 202.109.143.110 port 4316 on 192.168.1.2 port 22
Nov  2 16:33:12 ymer sshd[42983]: Disconnecting: Too many authentication failures for root [preauth]
Nov  2 16:33:18 ymer sshd[42985]: Connection from 202.109.143.110 port 2539 on 192.168.1.2 port 22
Nov  2 16:33:27 ymer sshd[42985]: Disconnecting: Too many authentication failures for root [preauth]
Nov  2 16:33:28 ymer sshd[42987]: Connection from 202.109.143.110 port 4555 on 192.168.1.2 port 22
Nov  2 16:33:35 ymer sshd[42987]: Disconnecting: Too many authentication failures for root [preauth]
Nov  2 16:33:38 ymer sshd[42989]: Connection from 202.109.143.110 port 3164 on 192.168.1.2 port 22
Nov  2 16:33:43 ymer sshd[42989]: Disconnecting: Too many authentication failures for root [preauth]
Nov  2 16:33:43 ymer sshd[42991]: Connection from 202.109.143.110 port 4749 on 192.168.1.2 port 22
Nov  2 16:33:52 ymer sshd[42991]: fatal: Read from socket failed: Connection reset by peer [preauth]
</snip>

Best Regards
Hasse.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 473 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20141102/12acaf25/attachment.sig>

More information about the freebsd-questions mailing list