From owner-freebsd-questions@FreeBSD.ORG Sun Feb 5 20:21:11 2006 Return-Path: X-Original-To: questions@freebsd.org Delivered-To: freebsd-questions@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B717116A420 for ; Sun, 5 Feb 2006 20:21:11 +0000 (GMT) (envelope-from freebsd@philip.pjkh.com) Received: from bravo.pjkh.com (bravo.pjkh.com [72.36.232.219]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5B33743D46 for ; Sun, 5 Feb 2006 20:21:11 +0000 (GMT) (envelope-from freebsd@philip.pjkh.com) Received: from bravo.pjkh.com (bravo.pjkh.com [72.36.232.219]) by bravo.pjkh.com (Postfix) with ESMTP id 55FE313C7DC; Sun, 5 Feb 2006 14:21:37 -0600 (CST) Received: by bravo.pjkh.com (Postfix, from userid 1000) id 08F9D13C7DB; Sun, 5 Feb 2006 14:21:37 -0600 (CST) Received: from localhost (localhost [127.0.0.1]) by bravo.pjkh.com (Postfix) with ESMTP id 07F3A13C7BA; Sun, 5 Feb 2006 14:21:37 -0600 (CST) Date: Sun, 5 Feb 2006 14:21:37 -0600 (CST) From: Philip Hallstrom To: "Michael A. Alestock" In-Reply-To: <20060205103027.D7469@bsd.maa-net.net> Message-ID: <20060205141955.D30438@bravo.pjkh.com> References: <20060205103027.D7469@bsd.maa-net.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed X-Virus-Scanned: ClamAV using ClamSMTP Cc: questions@freebsd.org Subject: Re: IP Banning (Using IPFW) X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 05 Feb 2006 20:21:11 -0000 > I was wondering if there's some sort of port available that can actively ban > IPs that try and bruteforce a service such as SSH or Telnet, by scanning the > /var/log/auth.log log for Regex such as "Illegal User" or "LOGIN FAILURES", > and then using IPFW to essentially deny (ban) that IP for a certain period of > time or possibly forever. > > I've seen a very useful one that works for linux (fail2ban), and was > wondering if one exists for FreeBSD's IPFW? There are some in the ports, but you can write your own pretty easy too. The one thing I didn't like about the ones in the ports is the app was responsible for removing the rules after a set amount of time. Which could be a problem if that app crashed for some reason. You could lock yourself out permanently... Here's a quick perl script I wrote that does what you want... http://pastebin.com/540575 Combine that with these two crontab entries: 0-59/4 * * * * /sbin/ipfw delete 501 >/dev/null 2>&1 2-59/4 * * * * /sbin/ipfw delete 500 >/dev/null 2>&1 -philip