On 2 November 2010 16:34, Justin V. <[email protected]> wrote: > Hi, > > Would this be considered bruteforce?? > > This goes on and on: > > > Nov 2 05:42:19 yeaguy pure-ftpd: ([email protected]) > [WARNING] Authentication failed for user [Administrator] > Nov 2 05:42:53 yeaguy last message repeated 3 times > Nov 2 05:43:11 yeaguy pure-ftpd: ([email protected]) > [WARNING] Authentication failed for user [Administrator] > Nov 2 05:43:31 yeaguy pure-ftpd: ([email protected]) [ERROR] > Too many authentication failures > Nov 2 05:43:35 yeaguy pure-ftpd: ([email protected]) > [WARNING] Authentication failed for user [Administrator] > Nov 2 05:43:54 yeaguy last message repeated 2 times > Nov 2 05:44:27 yeaguy last message repeated 2 times > Nov 2 05:44:47 yeaguy pure-ftpd: ([email protected]) [ERROR] > Too many authentication failures > Nov 2 05:44:53 yeaguy pure-ftpd: ([email protected]) > [WARNING] Authentication failed for user [Administrator] > Nov 2 05:45:27 yeaguy last message repeated 3 times > Nov 2 05:45:44 yeaguy pure-ftpd: ([email protected]) > [WARNING] Authentication failed for user [Administrator] > Nov 2 05:46:05 yeaguy pure-ftpd: ([email protected]) [ERROR] > Too many authentication failures > Nov 2 05:46:12 yeaguy pure-ftpd: ([email protected]) > [WARNING] Authentication failed for user [Administrator] > Nov 2 05:46:47 yeaguy last message repeated 3 times > Nov 2 05:47:03 yeaguy pure-ftpd: ([email protected]) > [WARNING] Authentication failed for user [Administrator] > Nov 2 05:47:24 yeaguy pure-ftpd: ([email protected]) [ERROR] > Too many authentication failures > Nov 2 05:47:31 yeaguy pure-ftpd: ([email protected]) > [WARNING] Authentication failed for user [Administrator] > Nov 2 05:48:06 yeaguy last message repeated 3 times > Nov 2 05:48:24 yeaguy pure-ftpd: ([email protected]) > [WARNING] Authentication failed for user [Administrator] > Nov 2 05:48:45 yeaguy pure-ftpd: ([email protected]) [ERROR] > Too many authentication failures > Nov 2 05:48:50 yeaguy pure-ftpd: ([email protected]) > [WARNING] Authentication failed for user [Administrator] > Nov 2 05:49:25 yeaguy last message repeated 3 times > Nov 2 05:49:42 yeaguy pure-ftpd: ([email protected]) > [WARNING] Authentication failed for user [Administrator] > Nov 2 05:50:01 yeaguy pure-ftpd: ([email protected]) [ERROR] > Too many authentication failures > Nov 2 05:50:08 yeaguy pure-ftpd: ([email protected]) > [WARNING] Authentication failed for user [Administrator] > Nov 2 05:50:40 yeaguy last message repeated 3 times > Nov 2 05:50:58 yeaguy pure-ftpd: ([email protected]) > [WARNING] Authentication failed for user [Administrator] > Nov 2 05:51:20 yeaguy pure-ftpd: ([email protected]) [ERROR] > Too many authentication failures > Nov 2 05:51:25 yeaguy pure-ftpd: ([email protected]) > [WARNING] Authentication failed for user [Administrator] > Nov 2 05:51:59 yeaguy last message repeated 3 times > Nov 2 05:52:16 yeaguy pure-ftpd: ([email protected]) > [WARNING] Authentication failed for user [Administrator] > > > > My sshgaurd config: > > > > # $FreeBSD: src/share/examples/pf/pf.conf,v 1.1.4.1.4.1 2010/06/14 > 02:09:06 kensmith Exp $ > # $OpenBSD: pf.conf,v 1.34 2007/02/24 19:30:59 millert Exp $ > # > # See pf.conf(5) and /usr/share/examples/pf for syntax and examples. > # Remember to set net.inet.ip.forwarding=1 and/or > net.inet6.ip6.forwarding=1 > # in /etc/sysctl.conf if packets are to be forwarded between interfaces. > > ext_if="wlan0" > #int_if="int0" > > #table <spamd-white> persist > table <sshguard> persist > > #set skip on lo > > #scrub in > > #nat-anchor "ftp-proxy/*" > #rdr-anchor "ftp-proxy/*" > #nat on $ext_if from !($ext_if) -> ($ext_if:0) > #rdr pass on $int_if proto tcp to port ftp -> 127.0.0.1 port 8021 > #no rdr on $ext_if proto tcp from <spamd-white> to any port smtp > #rdr pass on $ext_if proto tcp from any to any port smtp \ > # -> 127.0.0.1 port spamd > > #anchor "ftp-proxy/*" > #block in > block in log quick on $ext_if from <sshguard> label "bruteforce" > #pass out > > #pass quick on $int_if no state > #antispoof quick for { lo $int_if } > > #pass in on $ext_if proto tcp to ($ext_if) port ssh > #pass in log on $ext_if proto tcp to ($ext_if) port smtp > #pass out log on $ext_if proto tcp from ($ext_if) to port smtp > > > LOGS: > > yeaguy# nslookup a214.amber.fastwebserver.de > Server: 10.1.1.1 > Address: 10.1.1.1#53 > > Non-authoritative answer: > Name: a214.amber.fastwebserver.de > Address: 217.79.189.214 > > yeaguy# tcpdump -n -e -ttt -r /var/log/pflog | grep 217.79.189.214 > reading from file /var/log/pflog, link-type PFLOG (OpenBSD pflog file) > yeaguy# > > > Thanks, > > Justin > _______________________________________________ > [email protected] mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to " > [email protected]" >
even if it is do you really need to leave ssh accessible to the whole world or can you not lock it down with acls, eg explicity block all ssh attempts apart from those in table ssh say? _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[email protected]"
