• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Auto blocking SSH - sshlockout_pf

Scheduled Pinned Locked Moved Firewalling
8 Posts 4 Posters 5.0k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • B
    ben.suffolk
    last edited by May 19, 2007, 8:51 AM

    I am running 1.2-BETA-1-TESTING-SNAPSHOT-05-14-2007  and noticed in my logs a large number of ssh attempts from the same IP address, as it happens all to usersnames that don;t exist.

    But I was under them impression the sshlockout_pf process blocked the IP after 3 attempts for an hour.

    I checked it was running, which is was.

    Did I miss a config option somewhere to enable the blocking?

    Regards

    Ben

    1 Reply Last reply Reply Quote 0
    • C
      cmb
      last edited by May 21, 2007, 2:32 AM

      Is this SSH to pfsense itself, or to another machine on your network?

      1 Reply Last reply Reply Quote 0
      • B
        ben.suffolk
        last edited by May 21, 2007, 10:08 AM

        Is was to pfSense itself.

        I assume it picks up the failed details from syslog to add to the blacklist?

        Ben

        1 Reply Last reply Reply Quote 0
        • C
          cmb
          last edited by May 22, 2007, 2:26 AM

          I guess…. I wasn't even aware of any SSH lock out functionality in pfsense.  :)

          maybe somebody familiar with it will answer.

          Personally, I wouldn't recommend running SSH on your firewall open to the world, especially using the default port.

          1 Reply Last reply Reply Quote 0
          • B
            ben.suffolk
            last edited by May 22, 2007, 11:12 AM

            Soon I will be upgrading my existing firewall on my servers in the data center (currently just testing pfSense on my home firewall, which is great).

            My existing firewalls are FreeBSD machines with pf running on them. I actually have a similar ssh lock out script that I wrote (not knowing one existed already) that runs on the firewalls, and I send ssh failures from the DMX machines to the firewall's syslog so it picks them up and blocks them as well.

            Whoever does know about the ssh lockout in pfSense, can you tell me if that will works as well, if I send the syslog to pfSense from my dmx machines in the same way?

            Take on board your point re running ssh on the machine, and may well change the port, but either way though somebody might like to know the ssh lockout does not seem to be working correctly.

            Ben

            1 Reply Last reply Reply Quote 0
            • D
              dotdash
              last edited by May 22, 2007, 5:12 PM

              I've used the rate-limiting under advanced to drop people trying to brute-force ssh. It drops to the internal virusprot table. Currently you cannot drop to a custom table. I usually just restrict the source address for ssh and webgui.

              1 Reply Last reply Reply Quote 0
              • G
                Gandalf
                last edited by May 23, 2007, 1:12 AM

                @ben.suffolk:

                Soon I will be upgrading my existing firewall on my servers in the data center (currently just testing pfSense on my home firewall, which is great).

                My existing firewalls are FreeBSD machines with pf running on them. I actually have a similar ssh lock out script that I wrote (not knowing one existed already) that runs on the firewalls, and I send ssh failures from the DMX machines to the firewall's syslog so it picks them up and blocks them as well.

                Whoever does know about the ssh lockout in pfSense, can you tell me if that will works as well, if I send the syslog to pfSense from my dmx machines in the same way?

                Take on board your point re running ssh on the machine, and may well change the port, but either way though somebody might like to know the ssh lockout does not seem to be working correctly.

                Ben

                I don't know about sending syslog but personaly I have http://denyhosts.sourceforge.net/ on every box I own, I don't have any BSD box (except pfSense which has the ssh port closed so I didn't need to tried it) it works great on Linux boxes, maybe you can try it on pfSense?

                1 Reply Last reply Reply Quote 0
                • B
                  ben.suffolk
                  last edited by May 23, 2007, 8:10 AM

                  @Gandalf:

                  I don't know about sending syslog but personaly I have http://denyhosts.sourceforge.net/ on every box I own, I don't have any BSD box (except pfSense which has the ssh port closed so I didn't need to tried it) it works great on Linux boxes, maybe you can try it on pfSense?

                  I'll check it out, I see its in the FreeBSD ports tree so I'm sure it will work.

                  1 Reply Last reply Reply Quote 0
                  1 out of 8
                  • First post
                    1/8
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                    This community forum collects and processes your personal information.
                    consent.not_received