Hi,
Would this be considered bruteforce??
This goes on and on:
Nov 2 05:42:19 yeaguy pure-ftpd: (?...@a214.amber.fastwebserver.de)
[WARNING] Authentication failed for user [Administrator]
Nov 2 05:42:53 yeaguy last message repeated 3 times
Nov 2 05:43:11 yeaguy pure-ftpd: (?...@a214.amber.fastwebserver.de)
[WARNING] Authentication failed for user [Administrator]
Nov 2 05:43:31 yeaguy pure-ftpd: (?...@a214.amber.fastwebserver.de) [ERROR]
Too many authentication failures
Nov 2 05:43:35 yeaguy pure-ftpd: (?...@a214.amber.fastwebserver.de)
[WARNING] Authentication failed for user [Administrator]
Nov 2 05:43:54 yeaguy last message repeated 2 times
Nov 2 05:44:27 yeaguy last message repeated 2 times
Nov 2 05:44:47 yeaguy pure-ftpd: (?...@a214.amber.fastwebserver.de) [ERROR]
Too many authentication failures
Nov 2 05:44:53 yeaguy pure-ftpd: (?...@a214.amber.fastwebserver.de)
[WARNING] Authentication failed for user [Administrator]
Nov 2 05:45:27 yeaguy last message repeated 3 times
Nov 2 05:45:44 yeaguy pure-ftpd: (?...@a214.amber.fastwebserver.de)
[WARNING] Authentication failed for user [Administrator]
Nov 2 05:46:05 yeaguy pure-ftpd: (?...@a214.amber.fastwebserver.de) [ERROR]
Too many authentication failures
Nov 2 05:46:12 yeaguy pure-ftpd: (?...@a214.amber.fastwebserver.de)
[WARNING] Authentication failed for user [Administrator]
Nov 2 05:46:47 yeaguy last message repeated 3 times
Nov 2 05:47:03 yeaguy pure-ftpd: (?...@a214.amber.fastwebserver.de)
[WARNING] Authentication failed for user [Administrator]
Nov 2 05:47:24 yeaguy pure-ftpd: (?...@a214.amber.fastwebserver.de) [ERROR]
Too many authentication failures
Nov 2 05:47:31 yeaguy pure-ftpd: (?...@a214.amber.fastwebserver.de)
[WARNING] Authentication failed for user [Administrator]
Nov 2 05:48:06 yeaguy last message repeated 3 times
Nov 2 05:48:24 yeaguy pure-ftpd: (?...@a214.amber.fastwebserver.de)
[WARNING] Authentication failed for user [Administrator]
Nov 2 05:48:45 yeaguy pure-ftpd: (?...@a214.amber.fastwebserver.de) [ERROR]
Too many authentication failures
Nov 2 05:48:50 yeaguy pure-ftpd: (?...@a214.amber.fastwebserver.de)
[WARNING] Authentication failed for user [Administrator]
Nov 2 05:49:25 yeaguy last message repeated 3 times
Nov 2 05:49:42 yeaguy pure-ftpd: (?...@a214.amber.fastwebserver.de)
[WARNING] Authentication failed for user [Administrator]
Nov 2 05:50:01 yeaguy pure-ftpd: (?...@a214.amber.fastwebserver.de) [ERROR]
Too many authentication failures
Nov 2 05:50:08 yeaguy pure-ftpd: (?...@a214.amber.fastwebserver.de)
[WARNING] Authentication failed for user [Administrator]
Nov 2 05:50:40 yeaguy last message repeated 3 times
Nov 2 05:50:58 yeaguy pure-ftpd: (?...@a214.amber.fastwebserver.de)
[WARNING] Authentication failed for user [Administrator]
Nov 2 05:51:20 yeaguy pure-ftpd: (?...@a214.amber.fastwebserver.de) [ERROR]
Too many authentication failures
Nov 2 05:51:25 yeaguy pure-ftpd: (?...@a214.amber.fastwebserver.de)
[WARNING] Authentication failed for user [Administrator]
Nov 2 05:51:59 yeaguy last message repeated 3 times
Nov 2 05:52:16 yeaguy pure-ftpd: (?...@a214.amber.fastwebserver.de)
[WARNING] Authentication failed for user [Administrator]
My sshgaurd config:
# $FreeBSD: src/share/examples/pf/pf.conf,v 1.1.4.1.4.1 2010/06/14
02:09:06 kensmith Exp $
# $OpenBSD: pf.conf,v 1.34 2007/02/24 19:30:59 millert Exp $
#
# See pf.conf(5) and /usr/share/examples/pf for syntax and examples.
# Remember to set net.inet.ip.forwarding=1 and/or
net.inet6.ip6.forwarding=1
# in /etc/sysctl.conf if packets are to be forwarded between interfaces.
ext_if="wlan0"
#int_if="int0"
#table <spamd-white> persist
table <sshguard> persist
#set skip on lo
#scrub in
#nat-anchor "ftp-proxy/*"
#rdr-anchor "ftp-proxy/*"
#nat on $ext_if from !($ext_if) -> ($ext_if:0)
#rdr pass on $int_if proto tcp to port ftp -> 127.0.0.1 port 8021
#no rdr on $ext_if proto tcp from <spamd-white> to any port smtp
#rdr pass on $ext_if proto tcp from any to any port smtp \
# -> 127.0.0.1 port spamd
#anchor "ftp-proxy/*"
#block in
block in log quick on $ext_if from <sshguard> label "bruteforce"
#pass out
#pass quick on $int_if no state
#antispoof quick for { lo $int_if }
#pass in on $ext_if proto tcp to ($ext_if) port ssh
#pass in log on $ext_if proto tcp to ($ext_if) port smtp
#pass out log on $ext_if proto tcp from ($ext_if) to port smtp
LOGS:
yeaguy# nslookup a214.amber.fastwebserver.de
Server: 10.1.1.1
Address: 10.1.1.1#53
Non-authoritative answer:
Name: a214.amber.fastwebserver.de
Address: 217.79.189.214
yeaguy# tcpdump -n -e -ttt -r /var/log/pflog | grep 217.79.189.214
reading from file /var/log/pflog, link-type PFLOG (OpenBSD pflog file)
yeaguy#
Thanks,
Justin
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"