Adaptive Firewall and ssh dictionary attacks

Question

Level 1

4 points

Adaptive Firewall and ssh dictionary attacks

I set up the Adaptive Firewall. See http://support.apple.com/kb/TS4418 and http://support.apple.com/kb/ht5519.

Then I copied from /Application/Server.app/Contents/ServerRoot/private/etc/emond.d/ the files AdaptiveFirewall.plist and HostBlockingLogic.plist to the directory /etc/emond.d/rules/. I changed in /etc/emond.d/rules/AdaptiveFirewall.plist the values for hostBlockTheshold to 5 (block after 5 failed attempts) and the hostMinBlockTime to 10 (block 10 minutes). Rebooted.

I tested this config with (false) ssh and imap logins. emond is blocking the remote IP. But emond blocks the IP only, if I use 5 times the same login name. I see in the syslog dictionary attacks (different login names), these IPs aren't blocked!

How do I block these IPs?

Mac Pro, OS X Server

Posted on Mar 28, 2013 1:48 AM

Reply

Answer 1

Linc Davis

Level 10

209,547 points

Mar 28, 2013 11:32 AM in response to petrahu

SSHGuard - Defend from brute force attacks

Reply

Answer 2

petrahu Author

Level 1

4 points

Apr 2, 2013 4:12 AM in response to Linc Davis

The reason seems to be a false configuation of the "BSM auditpipe" (whatever that is). See /usr/libexec.emlog.pl. The log entry with "Invalid user" is not logged/interpreted correctly.

Now I installed sshguard from Homebrew. But:

On Mountain Lion pf is running and the logfile is /var/log/system.log.
So I compiled sshguard with

./configure --prefix=/usr/local/Cellar/sshguard/1.5 --with-firewall=pf
make install

I changed in homebrew.mxcl.sshguard.plist the name of the logfile.

In /etc/pf.conf I added
load anchor "sshguard" from "/etc/pf.anchors/homebrew/mxcl/sshguard"

In /etc/pf.anchors/homebrew/mxcl/sshguard are the lines:
table persist
block in quick on eth0 proto tcp from to any port 22 label "ssh bruteforce"

Reply

Answer 3

petrahu Author

Level 1

4 points

Oct 21, 2013 6:28 AM in response to petrahu

I'm running fail2ban on my Apple servers (Mountain Lion, Snow Leopard) now. It is better to customize to see all sshd entries in the /var/log/syslog and /var/log/secure.log.

Reply