Auto blocking SSH - sshlockout_pf

ben.suffolk · May 19, 2007, 8:51 AM

I am running 1.2-BETA-1-TESTING-SNAPSHOT-05-14-2007 and noticed in my logs a large number of ssh attempts from the same IP address, as it happens all to usersnames that don;t exist.

But I was under them impression the sshlockout_pf process blocked the IP after 3 attempts for an hour.

I checked it was running, which is was.

Did I miss a config option somewhere to enable the blocking?

Regards

Ben

cmb · May 21, 2007, 2:32 AM

Is this SSH to pfsense itself, or to another machine on your network?

ben.suffolk · May 21, 2007, 10:08 AM

Is was to pfSense itself.

I assume it picks up the failed details from syslog to add to the blacklist?

Ben

cmb · May 22, 2007, 2:26 AM

I guess…. I wasn't even aware of any SSH lock out functionality in pfsense. :)

maybe somebody familiar with it will answer.

Personally, I wouldn't recommend running SSH on your firewall open to the world, especially using the default port.

ben.suffolk · May 22, 2007, 11:12 AM

Soon I will be upgrading my existing firewall on my servers in the data center (currently just testing pfSense on my home firewall, which is great).

My existing firewalls are FreeBSD machines with pf running on them. I actually have a similar ssh lock out script that I wrote (not knowing one existed already) that runs on the firewalls, and I send ssh failures from the DMX machines to the firewall's syslog so it picks them up and blocks them as well.

Whoever does know about the ssh lockout in pfSense, can you tell me if that will works as well, if I send the syslog to pfSense from my dmx machines in the same way?

Take on board your point re running ssh on the machine, and may well change the port, but either way though somebody might like to know the ssh lockout does not seem to be working correctly.

Ben

dotdash · May 22, 2007, 5:12 PM

I've used the rate-limiting under advanced to drop people trying to brute-force ssh. It drops to the internal virusprot table. Currently you cannot drop to a custom table. I usually just restrict the source address for ssh and webgui.

Gandalf · May 23, 2007, 1:12 AM

@ben.suffolk:

Soon I will be upgrading my existing firewall on my servers in the data center (currently just testing pfSense on my home firewall, which is great).

My existing firewalls are FreeBSD machines with pf running on them. I actually have a similar ssh lock out script that I wrote (not knowing one existed already) that runs on the firewalls, and I send ssh failures from the DMX machines to the firewall's syslog so it picks them up and blocks them as well.

Whoever does know about the ssh lockout in pfSense, can you tell me if that will works as well, if I send the syslog to pfSense from my dmx machines in the same way?

Take on board your point re running ssh on the machine, and may well change the port, but either way though somebody might like to know the ssh lockout does not seem to be working correctly.

Ben

I don't know about sending syslog but personaly I have http://denyhosts.sourceforge.net/ on every box I own, I don't have any BSD box (except pfSense which has the ssh port closed so I didn't need to tried it) it works great on Linux boxes, maybe you can try it on pfSense?

ben.suffolk · May 23, 2007, 8:10 AM

@Gandalf:

I don't know about sending syslog but personaly I have http://denyhosts.sourceforge.net/ on every box I own, I don't have any BSD box (except pfSense which has the ssh port closed so I didn't need to tried it) it works great on Linux boxes, maybe you can try it on pfSense?

I'll check it out, I see its in the FreeBSD ports tree so I'm sure it will work.