From owner-freebsd-questions@FreeBSD.ORG  Wed Oct 13 14:04:08 2004
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 43F3A16A4CE
	for <questions@freebsd.org>; Wed, 13 Oct 2004 14:04:08 +0000 (GMT)
Received: from sj-iport-4.cisco.com (sj-iport-4.cisco.com [171.68.10.86])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 1E25743D1D
	for <questions@freebsd.org>; Wed, 13 Oct 2004 14:04:08 +0000 (GMT)
	(envelope-from bmcgover@bmcgover-pc.cisco.com)
Received: from sj-core-1.cisco.com (171.71.177.237)
  by sj-iport-4.cisco.com with ESMTP; 13 Oct 2004 07:04:27 -0700
X-BrightmailFiltered: true
Received: from flask.cisco.com (IDENT:mirapoint@flask.cisco.com
	[161.44.122.62])
	by sj-core-1.cisco.com (8.12.10/8.12.6) with ESMTP id i9DE3vk4026741
	for <questions@freebsd.org>; Wed, 13 Oct 2004 07:04:04 -0700 (PDT)
Received: from bmcgover-pc.cisco.com (bmcgover-pc.cisco.com [161.44.65.27])
	by flask.cisco.com (MOS 3.4.6-GR)
	with ESMTP id AMG21296;
	Wed, 13 Oct 2004 10:03:55 -0400 (EDT)
Received: from bmcgover-pc.cisco.com (localhost.cisco.com [127.0.0.1])
	i9DE4ONU047345
	for <questions@freebsd.org>; Wed, 13 Oct 2004 10:04:24 -0400 (EDT)
	(envelope-from bmcgover@bmcgover-pc.cisco.com)
Message-Id: <200410131404.i9DE4ONU047345@bmcgover-pc.cisco.com>
To: questions@freebsd.org
Date: Wed, 13 Oct 2004 10:04:24 -0400
From: "Brian J. McGovern" <bmcgover@cisco.com>
Subject: Automatic Firewall software?
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Oct 2004 14:04:08 -0000

All,	
	This morning, I woke up to find one of my systems under hacker attack
(considerable multiple attempts to log in to ftp, ssh, etc., mostly using
system accounts). I loaded ipfw and set up a couple of quick rules to block
the point of origin. Unfortunately, the address appears to be DHCP'ed, so I
expect the hacker will at some point get a new address, and start over.

	Rather than having to hang over my machine is there any software out
there that will monitor logs (e.g. /var/log/messages), parse out failed logins
like this, and run an ipfw command to block it? Perhaps something can be done
via PAM? 

	An added extra bonus would be if it would unblock after some period
of time, in case a legit. user bungles their password, and can't get in
(saves the service call).

	-Brian