From owner-freebsd-questions@FreeBSD.ORG Sat Dec 26 21:32:05 2009 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id DA769106566B for ; Sat, 26 Dec 2009 21:32:05 +0000 (UTC) (envelope-from lostlogic@lostlogicx.com) Received: from erudite.lostlogicx.com (erudite.lostlogicx.com [74.208.67.179]) by mx1.freebsd.org (Postfix) with ESMTP id B89D88FC14 for ; Sat, 26 Dec 2009 21:32:05 +0000 (UTC) Received: by erudite.lostlogicx.com (Postfix, from userid 1001) id E25E1272BD; Sat, 26 Dec 2009 13:32:04 -0800 (PST) Date: Sat, 26 Dec 2009 13:32:04 -0800 From: Brandon Low To: Mel Flynn Message-ID: <20091226213204.GA96136@lostlogicx.com> References: <20091218013422.GI73162@lostlogicx.com> <200912190338.26709.mel.flynn+fbsd.questions@mailing.thruhere.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200912190338.26709.mel.flynn+fbsd.questions@mailing.thruhere.net> X-Operating-System: FreeBSD 8.0-RELEASE amd64 User-Agent: Mutt/1.5.20 (2009-06-14) Cc: freebsd-questions@freebsd.org Subject: Re: RFC: Fam/Python based script for bruteforce blocking X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 26 Dec 2009 21:32:05 -0000 On 2009-12-19 (Sat) at 03:38:26 -0900, Mel Flynn wrote: > Well, my first problem with it is obviously that I now need python, where I > don't want python. In fact, my firewalls/gateways only have /bin/sh and > /bin/csh as scripting languages. It's one reason I switched from custom > sysutils/grok rules to using security/sshguard - it got me rid of perl. That makes sense -- I'm using it on a general purpose server as opposed to a dedicated firewall box. > Secondly, you have matching rules coded in the script. If there would be one > reason to prefer this script over sshguard, it would be that I can add attack > patterns more easily, in config file with a syntax that's not too obscure. Interesting thought, I will definitely make the matching rules configurable and potentially make possible to monitor multiple logfiles for attack patterns (potentially configurable per-logfile). > Last but not least, you assume that once an IP is at fault, I want that IP > blocked permanently. In practice you end up with an extremely large table that > might eventually be too big for a default PF table and recurring scans from > the same IP are not that common (you see the IP in a 12-24 hour window, then > not again). You've misread the script. IPs are expired after a configurable number of seconds. > > Hope this helps. Thanks kindly for the feedback! --Brandon