Tuesday, November 8, 2005, 6:02:02 PM, you wrote these comments:
> I've got a machine running 5.4, offering ssh services and running
> bruteforce. In my daily security log emails i am seeing entries like:
> I know these are automated atempts at entry but i thought bruteforce was
> suppose to stop these. In my auth.log i do see the IP being added, but
> connections are still allowed. Here's the snipet:
> 126.96.36.199 port 56376 ssh2
> 188.8.131.52 was logged with total count of 3.
> Nov 7 07:07:03 zeus sshd: Failed password for root from
> 184.108.40.206 port 56418 ssh2
> IP 220.127.116.11 reached the maximum number of failed attempts!!!
> Adding IP to the firewall...
> Nov 7 07:07:05 zeus sshd: Illegal user simon from 18.104.22.168
> Nov 7 07:07:05 zeus sshd: Failed password for illegal user simon
> from 22.214.171.124 port 56461 ssh2
> Nov 7 07:07:08 zeus sshd: Illegal user simon from 126.96.36.199
> Nov 7 07:07:08 zeus sshd: Failed password for illegal user simon
> from 188.8.131.52 port 56504 ssh2
> Nov 7 07:07:10 zeus sshd: Failed password for root from
> 184.108.40.206 port 56543 ssh2
> Checking my bruteforce table ;i see 220.127.116.11/32 in it, so it was
> added, but i don't get why future connections were permitted unless pf was
> not restarted or informed about the updated table. In my pf.conf file i
what version of bruteforceblocker do you use?
> table <bruteforce> persist file "/etc/bruteforce"
> set block-policy drop
> block in log quick on $ext_if inet proto tcp from <bruteforce> to any port
> Any help appreciated.
Btw I'm about to release new version in a near future, the code is done,
but the port isn't yet :)
DanGer, ICQ: 261701668 | e-mail protecting at: http://www.2pu.net/
http://danger.rulez.sk | proxy list at: http://www.proxy-web.com/
| FreeBSD - The Power to Serve!
[ This is starting to get interesting, don't you think? ]