Hello Dave,
Tuesday, November 8, 2005, 6:02:02 PM, you wrote these comments:
> Hello,
> I've got a machine running 5.4, offering ssh services and running
> bruteforce. In my daily security log emails i am seeing entries like:
<snip>
> I know these are automated atempts at entry but i thought bruteforce was
> suppose to stop these. In my auth.log i do see the IP being added, but
> connections are still allowed. Here's the snipet:
<snip>
> 163.13.111.172 port 56376 ssh2
> 163.13.111.172 was logged with total count of 3.
> Nov 7 07:07:03 zeus sshd[24753]: Failed password for root from
> 163.13.111.172 port 56418 ssh2
> IP 163.13.111.172 reached the maximum number of failed attempts!!!
> Adding IP to the firewall...
> Nov 7 07:07:05 zeus sshd[24757]: Illegal user simon from 163.13.111.172
> Nov 7 07:07:05 zeus sshd[24757]: Failed password for illegal user simon
> from 163.13.111.172 port 56461 ssh2
> Nov 7 07:07:08 zeus sshd[24759]: Illegal user simon from 163.13.111.172
> Nov 7 07:07:08 zeus sshd[24759]: Failed password for illegal user simon
> from 163.13.111.172 port 56504 ssh2
> Nov 7 07:07:10 zeus sshd[24761]: Failed password for root from
> 163.13.111.172 port 56543 ssh2
> Checking my bruteforce table ;i see 163.13.111.172/32 in it, so it was
> added, but i don't get why future connections were permitted unless pf was
> not restarted or informed about the updated table. In my pf.conf file i
> have:
what version of bruteforceblocker do you use?
> table <bruteforce> persist file "/etc/bruteforce"
> set block-policy drop
> block in log quick on $ext_if inet proto tcp from <bruteforce> to any port
> ssh
> Any help appreciated.
> Thanks.
> Dave.
Btw I'm about to release new version in a near future, the code is done,
but the port isn't yet :)
--
Best Regards,
DanGer, ICQ: 261701668 | e-mail protecting at: http://www.2pu.net/
http://danger.rulez.sk | proxy list at: http://www.proxy-web.com/
| FreeBSD - The Power to Serve!
[ This is starting to get interesting, don't you think? ]