On Tue, 2 Nov 2010, Rob Farmer wrote:
On Tue, Nov 2, 2010 at 09:34, Justin V. <v...@yeaguy.com> wrote:
Hi,
Would this be considered bruteforce??
Yes
This goes on and on:
Nov 2 05:42:19 yeaguy pure-ftpd: (?...@a214.amber.fastwebserver.de) [WARNING]
Authentication failed for user [Administrator]
Nov 2 05:42:53 yeaguy last message repeated 3 times
[...]
My sshgaurd config:
Something isn't set up right if you are getting that many attempts -
it should kill them right away:
Nov 1 10:47:51 peridot sshd[77847]: reverse mapping checking
getaddrinfo for 178-238-137-213.hostnoc.eu [178.238.137.213] failed -
POSSIBLE BREAK-IN ATTEMPT!
Nov 1 10:47:53 peridot sshd[77967]: reverse mapping checking
getaddrinfo for 178-238-137-213.hostnoc.eu [178.238.137.213] failed -
POSSIBLE BREAK-IN ATTEMPT!
Nov 1 10:47:54 peridot sshd[78123]: reverse mapping checking
getaddrinfo for 178-238-137-213.hostnoc.eu [178.238.137.213] failed -
POSSIBLE BREAK-IN ATTEMPT!
Nov 1 10:47:56 peridot sshd[78228]: reverse mapping checking
getaddrinfo for 178-238-137-213.hostnoc.eu [178.238.137.213] failed -
POSSIBLE BREAK-IN ATTEMPT!
Nov 1 10:47:56 peridot sshguard[49177]: Blocking 178.238.137.213:4
for >420secs: 4 failures over 5 seconds.
Do you have the syslog.conf part set up as well as the pf part? I've
only used it for ssh but something like the following needs to be
there:
auth.info;authpriv.info |exec /usr/local/sbin/sshguard
yeaguy# nslookup a214.amber.fastwebserver.de
Server: 10.1.1.1
Address: 10.1.1.1#53
Non-authoritative answer:
Name: a214.amber.fastwebserver.de
Address: 217.79.189.214
I wouldn't waste your time trying to find out who they are - just
block and move on. That site is probably a shared web hosting account
that was compromised by a bad php script - even if you successfully
complain (assuming it is a legit hoster that cares) and they do
something about it, there are thousands more.
--
Rob Farmer
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
This is the guide I used:
http://www.sshguard.net/docs/setup/firewall/pf/
I followed this section to block all brute attempts:
Add this line in the packet filtering (rules) section:
block in quick on $ext_if proto tcp from <sshguard> to any port 22 label
"ssh bruteforce"
Replace $ext_if with your WAN interface name if needed. Omit the proto tcp
and the to any port 22 segment if you want to block all the traffic from
attackers (not just ssh).
I really like this port, just keeps the logs from filling up..
Im not going to email their abuse desk just wishing that sshguard would do
what I expected it to do via the how to.. :(
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
