3 forsøg og derefter ban
Jeg sad tilfældigvis en dag og havde ikke for meget at lave, så jeg kikkede lidt i log-filerne på min openbsd 3.6 maskine, og der fik jeg lov at se dette:-------------------------------
Feb 14 07:29:56 Tron sshd[1726]: Did not receive identification string from 222.170.7.245
Feb 14 07:34:22 Tron sshd[18501]: Failed password for nobody from 222.170.7.245 port 42175 ssh2
Feb 14 07:34:22 Tron sshd[8674]: Failed password for nobody from 222.170.7.245 port 42175 ssh2
Feb 14 07:34:23 Tron sshd[18501]: Received disconnect from 222.170.7.245: 11: Bye Bye
Feb 14 07:34:26 Tron sshd[1154]: Invalid user patrick from 222.170.7.245
Feb 14 07:34:26 Tron sshd[25795]: input_userauth_request: invalid user patrick
Feb 14 07:34:26 Tron sshd[25795]: Failed password for invalid user patrick from 222.170.7.245 port 43624 ssh2
Feb 14 07:34:26 Tron sshd[1154]: Failed password for invalid user patrick from 222.170.7.245 port 43624 ssh2
Feb 14 07:34:27 Tron sshd[25795]: Received disconnect from 222.170.7.245: 11: Bye Bye
Feb 14 07:34:31 Tron sshd[11207]: Invalid user patrick from 222.170.7.245
Feb 14 07:34:31 Tron sshd[22017]: input_userauth_request: invalid user patrick
Feb 14 07:34:32 Tron sshd[22017]: Failed password for invalid user patrick from 222.170.7.245 port 44635 ssh2
Feb 14 07:34:32 Tron sshd[11207]: Failed password for invalid user patrick from 222.170.7.245 port 44635 ssh2
Feb 14 07:34:32 Tron sshd[22017]: Received disconnect from 222.170.7.245: 11: Bye Bye
Feb 14 07:34:36 Tron sshd[21673]: Failed password for root from 222.170.7.245 port 46290 ssh2
Feb 14 07:34:36 Tron sshd[11591]: Failed password for root from 222.170.7.245 port 46290 ssh2
Feb 14 07:34:37 Tron sshd[21673]: Received disconnect from 222.170.7.245: 11: Bye Bye
Feb 14 07:34:41 Tron sshd[7124]: Failed password for root from 222.170.7.245 port 47899 ssh2
Feb 14 07:34:41 Tron sshd[4188]: Failed password for root from 222.170.7.245 port 47899 ssh2
Feb 14 07:34:41 Tron sshd[7124]: Received disconnect from 222.170.7.245: 11: Bye Bye
Feb 14 07:34:45 Tron sshd[28069]: Failed password for root from 222.170.7.245 port 49538 ssh2
Feb 14 07:34:45 Tron sshd[4476]: Failed password for root from 222.170.7.245 port 49538 ssh2
Feb 14 07:34:46 Tron sshd[28069]: Received disconnect from 222.170.7.245: 11: Bye Bye
Feb 14 07:34:50 Tron sshd[6080]: Failed password for root from 222.170.7.245 port 51121 ssh2
Feb 14 07:34:50 Tron sshd[25048]: Failed password for root from 222.170.7.245 port 51121 ssh2
Feb 14 07:34:50 Tron sshd[6080]: Received disconnect from 222.170.7.245: 11: Bye Bye
Feb 14 07:34:56 Tron sshd[14657]: Failed password for root from 222.170.7.245 port 53198 ssh2
Feb 14 07:34:56 Tron sshd[18899]: Failed password for root from 222.170.7.245 port 53198 ssh2
Feb 14 07:34:56 Tron sshd[14657]: Received disconnect from 222.170.7.245: 11: Bye Bye
Feb 14 07:35:00 Tron sshd[28675]: Invalid user rolo from 222.170.7.245
Feb 14 07:35:00 Tron sshd[4780]: input_userauth_request: invalid user rolo
Feb 14 07:35:00 Tron sshd[4780]: Failed password for invalid user rolo from 222.170.7.245 port 55414 ssh2
Feb 14 07:35:00 Tron sshd[28675]: Failed password for invalid user rolo from 222.170.7.245 port 55414 ssh2
Feb 14 07:35:00 Tron sshd[4780]: Received disconnect from 222.170.7.245: 11: Bye Bye
Feb 14 07:35:04 Tron sshd[17673]: Invalid user iceuser from 222.170.7.245
-------------------------------
og det er ikke engang halvdelen, altså den samme ip der i alt prøver at logge ind godt 80 gange med forskellige usernames i tidsrummet 7:34 - 7:38.
så tænkte jeg om det var muligt at lave en regel som sagde "two misses and you're out" ligesom hvis du ikke kan logge ind korrekt de første 2 gange skal ip bannes.
jeg har en ide om at man kunne smide en ip ned i en <badboys> table som PF can block drop'e for vildt. men hvordan jeg får den til at tjekke at der er kommet 2 forkerte passwords fra samme ip ved jeg ikke helt hvordan jeg skal få til at virke.
er der nogen der har nogle forslag?