From owner-freebsd-questions@FreeBSD.ORG Wed Jan 25 00:41:06 2006 Return-Path: X-Original-To: questions@freebsd.org Delivered-To: freebsd-questions@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8826F16A41F for ; Wed, 25 Jan 2006 00:41:06 +0000 (GMT) (envelope-from isachpaz@igd.fhg.de) Received: from mailgate2.igd.fraunhofer.de (mailgate2.igd.fraunhofer.de [192.44.32.14]) by mx1.FreeBSD.org (Postfix) with ESMTP id E2C1043D45 for ; Wed, 25 Jan 2006 00:41:05 +0000 (GMT) (envelope-from isachpaz@igd.fhg.de) Received: from localhost (localhost [127.0.0.1]) by mailgate2.igd.fraunhofer.de (Postfix) with ESMTP id D8F6828519; Wed, 25 Jan 2006 01:41:03 +0100 (CET) Received: from hermes (C55fa.c.strato-dslnet.de [62.104.85.250]) (using TLSv1 with cipher RC4-MD5 (128/128 bits)) (No client certificate requested) by mailgate2.igd.fraunhofer.de (Postfix) with ESMTP id EDA51258B2; Wed, 25 Jan 2006 01:40:54 +0100 (CET) From: "Ilias Sachpazidis" To: "'Daniel Gerzo'" Date: Wed, 25 Jan 2006 01:41:02 +0100 Organization: Fraunhofer IGD Message-ID: <002201c62148$0565fe10$050a0a0a@hermes> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 11 x-mimeole: Produced By Microsoft MimeOLE V6.00.2900.2527 Thread-Index: AcYhQghzqk8nijD5SSy74SD7sK2sxgABNX2g In-Reply-To: <20060124235744.GA99424@daemon.rulez.sk> X-Virus-Scanned: by amavisd-new at mailgate2.igd.fraunhofer.de Cc: questions@freebsd.org Subject: RE: auth.log & intruder prevention X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Ilias.Sachpazidis@igd.fraunhofer.de List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 Jan 2006 00:41:06 -0000 Thanks Daniel, I was about to develop a perl script. It, however, seems that bruteforceblocker does what I was looking for. Thanks again, Ilias -----Original Message----- From: Daniel Gerzo [mailto:danger@rulez.sk] Sent: Mittwoch, 25. Januar 2006 00:58 To: Ilias.Sachpazidis@igd.fraunhofer.de Cc: questions@freebsd.org Subject: Re: auth.log & intruder prevention On Tue, Jan 24, 2006 at 10:02:26PM +0100, Ilias Sachpazidis wrote: > Hi Everyone, hello, > > In auth.log of my FreeBSD boxes I got many requests to port 22, as you can > see below. > ----begin of snippet > Jan 22 11:21:50 zeus sshd[92900]: Failed password for illegal user cracking > from 65.208.188.105 port 58344 ssh2 > Jan 22 11:21:53 zeus sshd[92902]: Failed password for illegal user hacking > from 65.208.188.105 port 58443 ssh2 > ----end of snippet > > I am wondering if any script is available to prevent hundreds of attempts on > port 22 from external IPs that constantly checking user & passwords on my > FreeBSD PCs. > > What I am looking for is a deamon application/script that receives the > recorded data from auth.log and detects if any remote client (IP address) is > checking user and passwords (Detection pattern: 5 missing attempts in 1 > min). On a successful detection, the script should add an ipfw rule > rejecting further IP packets from the specific remote address. > > Is any script or something similar available so far? I've written a BruteForceBlocer, you can install it from ports as well, check security/bruteforceblocker. Hope you will like it. -- Sincerely, Daniel Gerzo