From owner-freebsd-questions@FreeBSD.ORG Fri Jun 18 12:31:12 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 35DB3106564A for ; Fri, 18 Jun 2010 12:31:12 +0000 (UTC) (envelope-from repcsike@gmail.com) Received: from ey-out-2122.google.com (ey-out-2122.google.com [74.125.78.25]) by mx1.freebsd.org (Postfix) with ESMTP id B7A418FC20 for ; Fri, 18 Jun 2010 12:31:11 +0000 (UTC) Received: by ey-out-2122.google.com with SMTP id 25so84502eya.9 for ; Fri, 18 Jun 2010 05:31:10 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:in-reply-to :references:date:message-id:subject:from:to:content-type; bh=zdwg/BuNKXKVWAPPhKTLWdAdY2UngWk1HRAUkqJ1OXI=; b=HcTDAi9yaoERNWxiDNkPXqUll2qWWLZO4K1KyGx2g8wmGsx2eRiemNVeyWwZHsIvDB aITkmAfhbU9ezhVXEouqU0y3vQtUQfQ5lQMTSWklc9Pp9G/wXmxImVgnjGobWepd+VP1 AeTQB0Kl5YstQIpEoDbXfrA6mYtyhXwogmKHM= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; b=xAvKu/VVVy7wR/ePms9mIS6ApY9Ly/wOTfqKWPglaqmtaOam9sbwyGSMo/ALSTB5bp 7XftsMyAem1UEz4ONcHQex9sveXSjPMzlgVgTEAd+IobMzkCLZM1G/OAlO627fPdQWXW Cq2qp6ykNGsWwbadfACwh0tTAjTnRhhQlhxYM= MIME-Version: 1.0 Received: by 10.213.31.148 with SMTP id y20mr241960ebc.85.1276864270588; Fri, 18 Jun 2010 05:31:10 -0700 (PDT) Received: by 10.213.35.68 with HTTP; Fri, 18 Jun 2010 05:31:10 -0700 (PDT) In-Reply-To: <367428.93212.qm@web51108.mail.re2.yahoo.com> References: <367428.93212.qm@web51108.mail.re2.yahoo.com> Date: Fri, 18 Jun 2010 14:31:10 +0200 Message-ID: From: =?ISO-8859-1?B?QmFs4XpzIE3hdOlmZnk=?= To: freebsd-questions@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Re: system is under attack (what can I do more?) X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 Jun 2010 12:31:12 -0000 Hello, 1, maybe the line with the rule is in a bad place in the conf, but even if it's working it's possible that it wont be triggered. As far as I can see there are 30 sec interval pauses between attacks from one host. Your rule is looking for connections in 30 sec ranges. 2,You should use a program that monitors the logs, and then passes the ips after 3 unsuccessful logins to the bruteforce table. See bruteforceblocker, but there are a bunch of other programs for this. Regards, MB.