Newsroom Update

Beginning in May, a special Today at Apple series titled “Made for Business” will offer small business owners and entrepreneurs free opportunities to learn how Apple products and services can support their growth and success. Learn more >

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

User profile for user: petrahu
petrahu Author
User level: Level 1
4 points

Adaptive Firewall and ssh dictionary attacks

I set up the Adaptive Firewall. See http://support.apple.com/kb/TS4418 and http://support.apple.com/kb/ht5519.

Then I copied from /Application/Server.app/Contents/ServerRoot/private/etc/emond.d/ the files AdaptiveFirewall.plist and HostBlockingLogic.plist to the directory /etc/emond.d/rules/. I changed in /etc/emond.d/rules/AdaptiveFirewall.plist the values for hostBlockTheshold to 5 (block after 5 failed attempts) and the hostMinBlockTime to 10 (block 10 minutes). Rebooted.


I tested this config with (false) ssh and imap logins. emond is blocking the remote IP. But emond blocks the IP only, if I use 5 times the same login name. I see in the syslog dictionary attacks (different login names), these IPs aren't blocked!


How do I block these IPs?

Mac Pro, OS X Server

Posted on Mar 28, 2013 1:48 AM

Reply
5 replies
User profile for user: petrahu
petrahu Author
User level: Level 1
4 points

Apr 2, 2013 4:12 AM in response to Linc Davis

The reason seems to be a false configuation of the "BSM auditpipe" (whatever that is). See /usr/libexec.emlog.pl. The log entry with "Invalid user" is not logged/interpreted correctly.


Now I installed sshguard from Homebrew. But:


On Mountain Lion pf is running and the logfile is /var/log/system.log.
So I compiled sshguard with

./configure --prefix=/usr/local/Cellar/sshguard/1.5 --with-firewall=pf
make install


I changed in homebrew.mxcl.sshguard.plist the name of the logfile.

In /etc/pf.conf I added
load anchor "sshguard" from "/etc/pf.anchors/homebrew/mxcl/sshguard"

In /etc/pf.anchors/homebrew/mxcl/sshguard are the lines:
table persist
block in quick on eth0 proto tcp from to any port 22 label "ssh bruteforce"

Reply

Adaptive Firewall and ssh dictionary attacks

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.
Learn more Sign up