Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 17 Feb 2006 10:13:33 -0800
From:      Atanas <atanas@asd.aplus.net>
To:        Carl Makin <carl@xena.IPAustralia.gov.au>
Cc:        freebsd-stable@freebsd.org
Subject:   Re: SSH login takes very long time...sometimes
Message-ID:  <43F6124D.8020605@asd.aplus.net>
In-Reply-To: <43F54C18.5000704@xena.ipaustralia.gov.au>
References:  <59e2ee810512250841t75157e62rec9dc389ac716534@mail.gmail.com>	<20051227101621.GA16276@walton.maths.tcd.ie>	<86irrfoix5.fsf@xps.des.no>	<43F4E3B0.1090806@asd.aplus.net>	<43F514BD.608@cytexbg.com> <43F5322C.1090603@asd.aplus.net> <43F54C18.5000704@xena.ipaustralia.gov.au>
next in thread | previous in thread | raw e-mail | index | archive | help 
Carl Makin said the following on 02/16/06 20:07:
> Atanas wrote:
>> Does anybody know whether ipfw (or something else within FreeBSD-4) is 
>> capable of setting connection rate limits?
> 
> I'm using SEC to monitor the auth.log file and block any IP addresses 
> that fail a password 3 times within 60 seconds.  I use the following 
> sec.conf file;
> 
Yeah, it does pretty much the same thing I do with a simple script like:

#!/usr/bin/perl
use strict;

my $MAX_TRIES = 5;
my $RULE_BASE = 10100;
my $RULES_MAX = 10;
my $Rule = $RULE_BASE;
my %Match;

sub ip_block  # ($ip, $port)
{   my ($ip, $port) = @_;

     `ipfw delete $Rule` if `ipfw list $Rule 2>/dev/null`;
     `ipfw add $Rule deny tcp from $ip to any $port in setup`;

     $Rule = $RULE_BASE + (++$Rule - $RULE_BASE) % $RULES_MAX;
}

open LOG, "tail -f /var/log/auth.log |";
while (<LOG>) {

     if( /sshd\[\d+\]/ ) {
         if( /((Illegal user|Failed password for) \S+|Did not receive 
identification string) from (\d+\.\d+\.\d+\.\d+)/ ) {
             my $ip = $3;
             next if $Match{$ip}++ < $MAX_TRIES;
             ip_block($ip,22);
             undef $Match{$ip};
         }
     }
}
close F;

And a cron job removes the blocks every hour:

7 * * * * /sbin/ipfw delete 10100 10101 10102 10103 10104 10105 10106 
10107 10108 10109

It does the job, but it would be nice for sshd to have some rate-limit 
protection built-in. Otherwise, with the increasing number of attacks 
nowadays, many people would need similar protection.

Regards,
Atanas

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?43F6124D.8020605>