Comments on: Stopping SSH & FTP brute force attacks with IPFW

By: Chris

Chris — Tue, 21 Jul 2009 17:02:11 +0000

Glad to hear it. :)

By: SoniXAnT

SoniXAnT — Tue, 21 Jul 2009 08:30:29 +0000

Yessss, now it works!! The bruteblock line must be put at the top of syslog.conf as you said…strange issue nevertheless.

By: Chris

Chris — Mon, 20 Jul 2009 16:49:16 +0000

Great tip, I couldn’t have said it better myself. I found that putting the bruteblock line up the top of your syslog.conf file guarantees it will start correctly. Let me know how this goes for you.

By: SoniXAnT

SoniXAnT — Sun, 19 Jul 2009 20:06:53 +0000

Oops, sorry I meant:
tail -F -n1 /var/log/auth.log | exec /usr/local/sbin/bruteblock -f /usr/local/etc/bruteblock/ssh.conf &

do not forget the final \&\ or else init will be stuck in the tail command from the next reboot

By: SoniXAnT

SoniXAnT — Sun, 19 Jul 2009 19:59:16 +0000

Two tips for bruteblock:
1) ipfw acts as a “firts match first win” firewall so add the deny rule BEFORE any other ruleset
2) I can’t understand why my syslogd doesn’t recognize bruteblock from my syslog.conf, if this is your case, here is a workaround:
just add the following line to your /etc/rc.local

echo “tail -F -n1 /var/log/auth.log | exec /usr/local/sbin/bruteblock -f /usr/local/etc/bruteblock/ssh.conf &” >> /etc/rc.local

and reboot

hope this helps!

By: Chris

Chris — Fri, 03 Jul 2009 06:52:23 +0000

Send me your ssh.conf (bruteblock), rc.firewall (ipfw) and you syslog.conf (syslogd) and I’ll take a look for you. chris [at] reallfreebsdtips [dot] com

By: James S

James S — Fri, 03 Jul 2009 01:44:38 +0000

I’m not familiar with ipfw, since I don’t need or want a firewall for any other reason than to use BruteBlock. I keep getting a:

bruteblock[1083]: Blocking failed for (my test attacking IP)

I am running firewall_type=”OPEN”, because as I said, I really don’t want to have IPFW interfering with anything else. If I do a: ipfw table 1 list, I do see the same test IP listed, but it is not being blocked.

I’d appreciate a clue or two…if I need to run the firewall differently, how best to do that as simply as possible.

Thanks!

By: KC

KC — Fri, 17 Apr 2009 10:10:45 +0000

Thanks for the information! It helps a lot!

By: dr.hoffman

dr.hoffman — Fri, 27 Mar 2009 08:45:21 +0000

*Please, Disregard previous post*
Great article – Thanx!
Very Helpful!
Please, note that string:
add deny ip from table(1) to any
Should look like:
add deny ip from table\(1\ )to any
– with reverse slashes

By: Kevin

Kevin — Thu, 12 Mar 2009 21:21:23 +0000

I’m using a different method: change ports for ssh/ftp (make it over 8000), also configure:
net.inet.tcp.blackhole=2
net.inet.udp.blackhole=1
in /etc/sysctl.conf

The automate scans are completely eliminated.

I have blogged it, you can search the posts on my blog.