While using my desktop I suddenly found that my user account was locked out due to numerous failed attempts at logging into my administrator account on my server. I checked the Windows' Server's eventlog and found that someone was denied entry using Rdesktop, the linux RDP client while I'm on mostly Windows' computers. Hmm...
Okay, so there's my culprit (I modified the IP addresses), this is an ongoing attempt at bruteforcing into my server.
So I create a new file called pf.hackers and add their IP addresses to it. Then I add the following lines in my pf.conf in the appropriate areas.
Unfortunately despite all that I'm seeing a 'match' in my logs with the above code I pasted and I'm wondering what I'm doing wrong since block drop quick was supposed to be processed before my rdr.
Any help would be appreciated!
# tcpdump -n dst port 3389 -e -ttt -i pflog0
Code:
00:00:00.000000 rule 11..16777216/0(match): rdr in on igb0: 123.123.123.88.7081 > 192.168.1.10.3389: Flags [SEW], seq 277331287, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
00:00:00.000037 rule 34..16777216/0(match): pass out on igb1: 123.123.123.88.7081 > 192.168.1.10.3389: Flags [SEW], seq 277331287, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
00:00:02.983868 rule 11..16777216/0(match): rdr in on igb0: 123.123.123.89.53983 > 192.168.1.10.3389: Flags [SEW], seq 1904643054, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
00:00:00.000023 rule 34..16777216/0(match): pass out on igb1: 123.123.123.89.53983 > 192.168.1.10.3389: Flags [SEW], seq 1904643054, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
Okay, so there's my culprit (I modified the IP addresses), this is an ongoing attempt at bruteforcing into my server.
So I create a new file called pf.hackers and add their IP addresses to it. Then I add the following lines in my pf.conf in the appropriate areas.
Code:
table <hackers> persist file "/etc/pf.hackers"
block drop log quick on $ext_if from <hackers> to any
block drop log quick on $ext_if from any to <hackers>
# pfctl -F all -f /etc/pf.conf
Unfortunately despite all that I'm seeing a 'match' in my logs with the above code I pasted and I'm wondering what I'm doing wrong since block drop quick was supposed to be processed before my rdr.
Any help would be appreciated!