From owner-freebsd-questions@FreeBSD.ORG Wed Oct 13 16:15:00 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6C39916A4CE for ; Wed, 13 Oct 2004 16:15:00 +0000 (GMT) Received: from smtp1.utdallas.edu (smtp1.utdallas.edu [129.110.10.12]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3FBFB43D1F for ; Wed, 13 Oct 2004 16:15:00 +0000 (GMT) (envelope-from pauls@utdallas.edu) Received: from utd49554 (utd49554.utdallas.edu [129.110.3.85]) by smtp1.utdallas.edu (Postfix) with ESMTP id DDCBD388D80; Wed, 13 Oct 2004 11:14:59 -0500 (CDT) Date: Wed, 13 Oct 2004 11:15:15 -0500 From: Paul Schmehl To: "Brian J. McGovern" , questions@freebsd.org Message-ID: <4ACDF26414DB010421A6AD6C@utd49554.utdallas.edu> In-Reply-To: <200410131404.i9DE4ONU047345@bmcgover-pc.cisco.com> References: <200410131404.i9DE4ONU047345@bmcgover-pc.cisco.com> X-Mailer: Mulberry/3.1.6 (Linux/x86) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline Subject: Re: Automatic Firewall software? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Paul Schmehl List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 Oct 2004 16:15:00 -0000 --On Wednesday, October 13, 2004 10:04:24 AM -0400 "Brian J. McGovern" wrote: > > Rather than having to hang over my machine is there any software out > there that will monitor logs (e.g. /var/log/messages), parse out failed > logins like this, and run an ipfw command to block it? Perhaps something > can be done via PAM? > Yes. Look at the Sentry Tools project at Sourceforge. () In particular, portsentry will do exactly what you want. It will throw up a temporary rule in ipfw blocking the host. (I say temporary because when you restart ipfw it will go away.) It will also add the host to your /etc/hosts.allow file, blocking it permanently from accessing privileged services. > An added extra bonus would be if it would unblock after some period > of time, in case a legit. user bungles their password, and can't get in > (saves the service call). > It won't do that, but you can just run ipfw show and then delete the rule. Then you can add that host to the portsentry.ignore file, and it will never happen again. (Or you can do it proactively if you know the hosts or networks your users will be coming from.) I've been using it for years. Works very well, but be careful. On a large server with lots of activity, you probably want to start by not blocking anything until you're comfortable with your ignore file. I also use logsentry on a number of hosts. Very nice program. Both are well written and quite mature. Paul Schmehl (pauls@utdallas.edu) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu