Q: Which kinds/versions of SSH daemons are supported?
A: It doesn’t matter which kind or version of SSH daemon you are using. The only thing you have to care of, is that you have to log SSHd traffic via syslog and your syslog is capable to use pipes (i.e. it can redirect the output to some script). Another thing is the format of your logs, if you aren’t using latest version of OpenSSH you will probably need to change regexps used in script.
Q: BruteForceBlocker is running, but IPs aren’t being blocked.
A: This is probably because of incorrect formats of regexps used in script. I have reports from users that OpenSSH v3.8 (which is default in FreeBSD 5.4) and less, uses little bit different format of warnings. You should check your logs for the format and according to that format change the Regexps. By this way, you can also use this script not only with OpenSSH, but it’s possible to use it for example with SSH Secure Shell; it’s only up to you what you consider to be harmful message.
Q: How does the timeout work?
A: There are two types of timeout to consider. One thing is how long does the bruteforceblocker keep the internal count of failed login attempts in its memory. This affects the timeout setting in the bruteforceblocker.conf configuration file. This setting should be set to the amount of seconfs, after which you want to reset this count internally.
However, when the IP gets blocked by pf, this is beyond the bruteforceblocker. Here comes the second timeout type. To be able to remove an old entries from the pf table, you will need an external utility. I recommend using security/expiretable in conjuction with a proper entry in the crontab. In this case, set up the following:
First, let the blocked IP be stored in memory only, by the following setting in /etc/pf.conf:
table <bruteforce> persist
Next, set up a cronjob entry, which will handle the removal of old IPs from the pf table in /etc/crontable file:
0 4 * * * root /usr/local/sbin/expiretable -t 1d bruteforce
Q: Is it possible to use BruteForceBlocker with Linux and IPTABLES?
A: This is pretty easy task. All you need is to change value of $pfctl variable to contain the path to the IPTABLES binary. Then you need change line:
system(“$pfctl -t $table -T add $IP/32”) == 0 or die “Couldn’t add $IP to firewall”;
to something like:
system(“$iptables -I INPUT -s $IP -j DROP”) == 0 or die “Couldn’t add $IP to firewall”;
You should also remove some unneeded variables like $table and $tablefile or, you should use them to store rules in the iptables script to keep your firewall rules.
Q: I don’t have sshd logs after upgrade from 1.1
A: This is because BruteForceblocker 1.2 and later doesn’t log anymore. This way of logging was obsoleted because people weren’t able to log to remote syslog through BruteForceBlocker. If you don’t have line similar to this:
in syslog.conf, then you should add it there, otherwise you won’t get auth.* messages logged.