Although this doesn't answer your actual pf question, you might try
using a tool called Grok (http://www.semicomplete.com/projects/grok/ ).
It's a pretty decent log watcher written in Perl, designed to do
exactly this sort of thing. You define matches and reactions in its
config file (match = "Illegal user %USERNAME% from %IP%"; reaction =
"pfctl -t scanners -T add %IP%";).
It does have a few quirks though. We've encountered problems with
having multiple rules watching the same log. But, all in all, probably
a better way to do what it looks like you want to do.
- R.
On 8/8/07, David Newman <dnewman@networktest.com> wrote:
quoted text > -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 6/27/07 10:39 PM, Daniel Ouellet wrote:
> > Steve B wrote:
> >> The rule I've had in my pf.conf file to catch and block forceful SSH
> >> attempts no longer appears to be working. I see the entries in my
> >> authlog,
> >> but the IPs are no longer getting added to my table. I suspect I screwed
> >> something up, but so far I am at a loss to see where. Could someone pass
> >> another set of eyes over the relevant parts of my pf.conf?
> >
> > Put quickly as an example, but you can try:
> >
> > # Define some variable for clarity
> > SSH_LIMIT="(max-src-conn-rate 3/30, overload <scanners> flush global)"
> >
> > ## SSH Hackers - blocked IPs
> > table <scanners> persist file "/etc/tables/scanners"
> >
> > # Block ssh access to bad ssh scanner
> > block drop in log quick on $ext_if inet proto tcp \
> > from <scanners> to any port ssh
> >
> > # Allow quick valid traffic to ssh but log all attempts as well
> > pass in log quick on $ext_if inet proto tcp from ! <scanners> \
> > to $ext_if port ssh flags S/SA keep state \
> > $SSH_LIMIT
> >
>
> I've added something like this to pf.conf but it's only partially
> successful. I would appreciate any clues as to why it's not blocking all
> brute-force attempts.
>
> On an OBSD 4.1 box, here's what I added to pf.conf ($unpro is the
> Internet-facing interface):
>
> #####
>
> # Define limit of ssh connection rates
> SSH_LIMIT="(max-src-conn-rate 3/30, overload <scanners> flush global)"
> # SSH scanners - blocked IPs
> table <scanners> persist
>
> block drop in log quick on $unpro inet proto tcp \
> from <scanners> to any port ssh
>
>
> # Allow quick valid traffic to ssh but log all attempts as well
> pass in log quick on $unpro inet proto tcp from ! <scanners> \
> to $unpro port ssh $SSH_LIMIT
>
> #####
>
> And it appears to be working, at least in part:
>
> dnewman@fw17 ~ 501$ sudo pfctl -t scanners -T show
> 61.146.178.13
> 61.189.145.103
> 67.76.237.190
> 161.200.144.108
> 193.254.31.194
>
> #####
>
> But some hosts on the protected side of the firewall still report
> brute-force ssh login attempts exceeding the 3/30 rate:
>
> Aug 7 10:16:00 mail sshd[21608]: Invalid user trash from 201.18.81.8
> Aug 7 10:16:08 mail sshd[21610]: Invalid user aaron from 201.18.81.8
> Aug 7 10:16:11 mail sshd[21612]: Invalid user gt05 from 201.18.81.8
> Aug 7 10:16:18 mail sshd[21614]: Invalid user william from 201.18.81.8
> Aug 7 10:16:22 mail sshd[21616]: Invalid user stephanie from 201.18.81.8
> Aug 7 10:16:59 mail sshd[21628]: Invalid user gary from 201.18.81.8
> Aug 7 10:17:07 mail sshd[21632]: Invalid user guest from 201.18.81.8
> Aug 7 10:17:11 mail sshd[21634]: Invalid user test from 201.18.81.8
> Aug 7 10:17:17 mail sshd[21636]: Invalid user oracle from 201.18.81.8
> Aug 7 10:19:24 mail sshd[21717]: Invalid user apache from 201.18.81.8
> Aug 7 10:19:43 mail sshd[21723]: Invalid user lab from 201.18.81.8
> Aug 7 10:19:55 mail sshd[21729]: Invalid user oracle from 201.18.81.8
> Aug 7 10:20:00 mail sshd[21736]: Invalid user svn from 201.18.81.8
> Aug 7 10:20:06 mail sshd[21745]: Invalid user iraf from 201.18.81.8
> Aug 7 10:20:13 mail sshd[21747]: Invalid user swsoft from 201.18.81.8
> Aug 7 10:20:18 mail sshd[21749]: Invalid user production from 201.18.81.8
> Aug 7 10:20:23 mail sshd[21751]: Invalid user guest from 201.18.81.8
> Aug 7 10:20:28 mail sshd[21753]: Invalid user gast from 201.18.81.8
> Aug 7 10:20:34 mail sshd[21755]: Invalid user gast from 201.18.81.8
> Aug 7 10:20:40 mail sshd[21762]: Invalid user oliver from 201.18.81.8
> Aug 7 10:20:45 mail sshd[21767]: Invalid user sirsi from 201.18.81.8
> Aug 7 10:20:50 mail sshd[21769]: Invalid user nagios from 201.18.81.8
> Aug 7 10:20:55 mail sshd[21771]: Invalid user nagios from 201.18.81.8
> Aug 7 10:20:59 mail sshd[21773]: Invalid user nagios from 201.18.81.8
>
> Thanks in advance for suggestions as to how to reduce these kind of
> login attempts.
>
> dn
> iD8DBQFGufyzyPxGVjntI4IRAty2AJ9WDCqLqkWyhx/KuciGINow6Upb5wCfUuP+
> GfZ8lnaun1QPItnFK5c4MNU=
> =tjbD
> -----END PGP SIGNATURE-----
