Date: Fri, 17 Feb 2006 10:13:33 -0800 From: Atanas <atanas@asd.aplus.net> To: Carl Makin <carl@xena.IPAustralia.gov.au> Cc: freebsd-stable@freebsd.org Subject: Re: SSH login takes very long time...sometimes Message-ID: <43F6124D.8020605@asd.aplus.net> In-Reply-To: <43F54C18.5000704@xena.ipaustralia.gov.au> References: <59e2ee810512250841t75157e62rec9dc389ac716534@mail.gmail.com> <20051227101621.GA16276@walton.maths.tcd.ie> <86irrfoix5.fsf@xps.des.no> <43F4E3B0.1090806@asd.aplus.net> <43F514BD.608@cytexbg.com> <43F5322C.1090603@asd.aplus.net> <43F54C18.5000704@xena.ipaustralia.gov.au>
next in thread | previous in thread | raw e-mail | index | archive | help
Carl Makin said the following on 02/16/06 20:07: > Atanas wrote: >> Does anybody know whether ipfw (or something else within FreeBSD-4) is >> capable of setting connection rate limits? > > I'm using SEC to monitor the auth.log file and block any IP addresses > that fail a password 3 times within 60 seconds. I use the following > sec.conf file; > Yeah, it does pretty much the same thing I do with a simple script like: #!/usr/bin/perl use strict; my $MAX_TRIES = 5; my $RULE_BASE = 10100; my $RULES_MAX = 10; my $Rule = $RULE_BASE; my %Match; sub ip_block # ($ip, $port) { my ($ip, $port) = @_; `ipfw delete $Rule` if `ipfw list $Rule 2>/dev/null`; `ipfw add $Rule deny tcp from $ip to any $port in setup`; $Rule = $RULE_BASE + (++$Rule - $RULE_BASE) % $RULES_MAX; } open LOG, "tail -f /var/log/auth.log |"; while (<LOG>) { if( /sshd\[\d+\]/ ) { if( /((Illegal user|Failed password for) \S+|Did not receive identification string) from (\d+\.\d+\.\d+\.\d+)/ ) { my $ip = $3; next if $Match{$ip}++ < $MAX_TRIES; ip_block($ip,22); undef $Match{$ip}; } } } close F; And a cron job removes the blocks every hour: 7 * * * * /sbin/ipfw delete 10100 10101 10102 10103 10104 10105 10106 10107 10108 10109 It does the job, but it would be nice for sshd to have some rate-limit protection built-in. Otherwise, with the increasing number of attacks nowadays, many people would need similar protection. Regards, Atanas
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?43F6124D.8020605>