From owner-freebsd-questions@FreeBSD.ORG Wed Oct 13 14:04:08 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 43F3A16A4CE for ; Wed, 13 Oct 2004 14:04:08 +0000 (GMT) Received: from sj-iport-4.cisco.com (sj-iport-4.cisco.com [171.68.10.86]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1E25743D1D for ; Wed, 13 Oct 2004 14:04:08 +0000 (GMT) (envelope-from bmcgover@bmcgover-pc.cisco.com) Received: from sj-core-1.cisco.com (171.71.177.237) by sj-iport-4.cisco.com with ESMTP; 13 Oct 2004 07:04:27 -0700 X-BrightmailFiltered: true Received: from flask.cisco.com (IDENT:mirapoint@flask.cisco.com [161.44.122.62]) by sj-core-1.cisco.com (8.12.10/8.12.6) with ESMTP id i9DE3vk4026741 for ; Wed, 13 Oct 2004 07:04:04 -0700 (PDT) Received: from bmcgover-pc.cisco.com (bmcgover-pc.cisco.com [161.44.65.27]) by flask.cisco.com (MOS 3.4.6-GR) with ESMTP id AMG21296; Wed, 13 Oct 2004 10:03:55 -0400 (EDT) Received: from bmcgover-pc.cisco.com (localhost.cisco.com [127.0.0.1]) i9DE4ONU047345 for ; Wed, 13 Oct 2004 10:04:24 -0400 (EDT) (envelope-from bmcgover@bmcgover-pc.cisco.com) Message-Id: <200410131404.i9DE4ONU047345@bmcgover-pc.cisco.com> To: questions@freebsd.org Date: Wed, 13 Oct 2004 10:04:24 -0400 From: "Brian J. McGovern" Subject: Automatic Firewall software? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 Oct 2004 14:04:08 -0000 All, This morning, I woke up to find one of my systems under hacker attack (considerable multiple attempts to log in to ftp, ssh, etc., mostly using system accounts). I loaded ipfw and set up a couple of quick rules to block the point of origin. Unfortunately, the address appears to be DHCP'ed, so I expect the hacker will at some point get a new address, and start over. Rather than having to hang over my machine is there any software out there that will monitor logs (e.g. /var/log/messages), parse out failed logins like this, and run an ipfw command to block it? Perhaps something can be done via PAM? An added extra bonus would be if it would unblock after some period of time, in case a legit. user bungles their password, and can't get in (saves the service call). -Brian