Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 26 May 2008 02:20:45 +0100
From:      "John ." <comp.john@googlemail.com>
To:        freebsd-pf@freebsd.org
Subject:   auto-blackholing/blacklisting on multiple hacking attempts
Message-ID:  <abc784790805251820x62a763aem67d262b1a103f41c@mail.gmail.com>
next in thread | raw e-mail | index | archive | help 
Hi,

I'm running freebsd 7-RELEASE

I see this, for example, in my auth log:

May 15 02:00:39 www sshd[9180]: Invalid user web from 201.18.232.30
May 15 02:00:41 www sshd[9182]: Invalid user web from 201.18.232.30
May 15 02:00:43 www sshd[9184]: Invalid user web from 201.18.232.30
May 15 02:00:45 www sshd[9186]: Invalid user web from 201.18.232.30
May 15 02:00:48 www sshd[9188]: Invalid user web from 201.18.232.30
May 15 02:00:50 www sshd[9190]: Invalid user web from 201.18.232.30
May 15 02:00:52 www sshd[9192]: Invalid user web from 201.18.232.30
May 15 02:00:54 www sshd[9194]: Invalid user web from 201.18.232.30
May 15 02:00:56 www sshd[9196]: Invalid user web from 201.18.232.30
May 15 02:00:58 www sshd[9198]: Invalid user web from 201.18.232.30
May 15 02:01:00 www sshd[9200]: Invalid user web from 201.18.232.30
May 15 02:01:02 www sshd[9205]: Invalid user web from 201.18.232.30
May 15 02:01:04 www sshd[9207]: Invalid user account from 201.18.232.30
May 15 02:01:06 www sshd[9209]: Invalid user account from 201.18.232.30
May 15 02:01:08 www sshd[9211]: Invalid user account from 201.18.232.30
May 15 02:01:10 www sshd[9213]: Invalid user account from 201.18.232.30
May 15 02:01:12 www sshd[9218]: Invalid user account from 201.18.232.30
May 15 02:01:14 www sshd[9220]: Invalid user account from 201.18.232.30
May 15 02:01:39 www sshd[9244]: Invalid user apache from 201.18.232.30
May 15 02:01:41 www sshd[9246]: Invalid user apache from 201.18.232.30
May 15 02:01:43 www sshd[9248]: Invalid user apache from 201.18.232.30
May 15 02:01:45 www sshd[9250]: Invalid user apache from 201.18.232.30
May 15 02:01:47 www sshd[9252]: Invalid user apache from 201.18.232.30

I'd like it to be so that if an IP tries to connect to sshd more than
once in a 30 second period, that they are immediately blackholed.
Should I be using pf for this or would it be done better in some other
utility?

cheers

-- 
John

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?abc784790805251820x62a763aem67d262b1a103f41c>