Date: Sun, 23 Aug 2009 10:49:24 -0500 From: Len Conrad <LConrad@Go2France.com> To: freebsd-pf@freebsd.org Subject: Re: something like bruteblock for pf? Message-ID: <200908231748187.SM01728@W500.Go2France.com> In-Reply-To: <4A914FD1.7070500@bals.org> References: <200908230132343.SM01728@W500.Go2France.com> <a2b6592c0908221807q24e7f54aka75b561debca63eb@mail.gmail.com> <200908230340125.SM01728@W500.Go2France.com> <7731938b0908221957g2150a2f0p3263b6cab72bdf81@mail.gmail.com> <4A914FD1.7070500@bals.org>
index | next in thread | previous in thread | raw e-mail
>n 08/22/2009 10:57 PM Peter Maxwell wrote: >>2009/8/23 Len Conrad <LConrad@go2france.com>: >>>I'm looking for something like bruteblock that logwatches (smtp, ssh, ftp, whatever) and inserts/removes TCP block rules into pf for x hours, so the protocol daemons are involved. >... >>Before implementing something like this, I would urge caution: if what >>you're asking was actually of any use, someone else would probably >>have done it properly. I can't imagine how log entries from an ftp >>server, say, are going to be related to your smtp server security? If >>it's a simple connection management, then >>max-src-conn/max-src-conn-rate might be a more robust solution. > >http://johan.fredin.info/openbsd/block_ssh_bruteforce.html explains how to use max-src-conn-rate and expiretable. > ># pkg_info -x expiretable >Information for expiretable-0.6: > >Comment: >Utility to remove entries from the pf(4) table based on their age > >Description: >Expiretable is a utility used to remove entries from the pf(4) table >based on their age. > >The age in question being the amount of time that has passed since >the statistics for each entry in the target table was last cleared. > >WWW: http://expiretable.fnord.se/ I have no problem putting IPs into pf, it's expiring them that was blocking me, but expiretable fixes that. I don't use pf for protecting these "sacrificial" machines generally, only for reactive blocking. thanks Lenhelp
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200908231748187.SM01728>