Date: Sun, 5 Feb 2006 14:21:37 -0600 (CST) From: Philip Hallstrom <freebsd@philip.pjkh.com> To: "Michael A. Alestock" <michaela@maa-net.net> Cc: questions@freebsd.org Subject: Re: IP Banning (Using IPFW) Message-ID: <20060205141955.D30438@bravo.pjkh.com> In-Reply-To: <20060205103027.D7469@bsd.maa-net.net> References: <20060205103027.D7469@bsd.maa-net.net>
next in thread | previous in thread | raw e-mail | index | archive | help
> I was wondering if there's some sort of port available that can actively ban > IPs that try and bruteforce a service such as SSH or Telnet, by scanning the > /var/log/auth.log log for Regex such as "Illegal User" or "LOGIN FAILURES", > and then using IPFW to essentially deny (ban) that IP for a certain period of > time or possibly forever. > > I've seen a very useful one that works for linux (fail2ban), and was > wondering if one exists for FreeBSD's IPFW? There are some in the ports, but you can write your own pretty easy too. The one thing I didn't like about the ones in the ports is the app was responsible for removing the rules after a set amount of time. Which could be a problem if that app crashed for some reason. You could lock yourself out permanently... Here's a quick perl script I wrote that does what you want... http://pastebin.com/540575 Combine that with these two crontab entries: 0-59/4 * * * * /sbin/ipfw delete 501 >/dev/null 2>&1 2-59/4 * * * * /sbin/ipfw delete 500 >/dev/null 2>&1 -philip
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060205141955.D30438>