From owner-freebsd-security@FreeBSD.ORG Mon Jan 21 13:08:50 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8F8CF16A46E for ; Mon, 21 Jan 2008 13:08:50 +0000 (UTC) (envelope-from wjw@digiware.nl) Received: from mail.digiware.nl (www.tegenbosch28.nl [217.21.251.97]) by mx1.freebsd.org (Postfix) with ESMTP id 4643013C4D3 for ; Mon, 21 Jan 2008 13:08:50 +0000 (UTC) (envelope-from wjw@digiware.nl) Received: from localhost (localhost.digiware.nl [127.0.0.1]) by mail.digiware.nl (Postfix) with ESMTP id 7767F170FD; Mon, 21 Jan 2008 13:38:01 +0100 (CET) X-Virus-Scanned: amavisd-new at digiware.nl Received: from mail.digiware.nl ([127.0.0.1]) by localhost (rack1.digiware.nl [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id e9d+lCIBV60S; Mon, 21 Jan 2008 13:37:59 +0100 (CET) Received: from [192.168.2.10] (unknown [192.168.2.10]) by mail.digiware.nl (Postfix) with ESMTP id 58242170F3; Mon, 21 Jan 2008 13:37:59 +0100 (CET) Message-ID: <4794922F.8090009@digiware.nl> Date: Mon, 21 Jan 2008 13:38:07 +0100 From: Willem Jan Withagen Organization: Digiware User-Agent: Thunderbird 2.0.0.9 (Windows/20071031) MIME-Version: 1.0 To: Jordi Espasa Clofent References: <47946AD3.2020601@opengea.org> <200801211226.51852.tim@priebe.alt.na> <47947587.2010106@opengea.org> In-Reply-To: <47947587.2010106@opengea.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Mailman-Approved-At: Mon, 21 Jan 2008 13:14:46 +0000 Cc: freebsd-security@freebsd.org Subject: Re: denyhosts-like app for MySQLd? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Jan 2008 13:08:50 -0000 Jordi Espasa Clofent wrote: >> Hi, >> >> There is a functionality in pf, that allows you to have an application >> to update a list of hosts, that is used in a rule. You could have a >> script harvest the addresses from your log files, and then update the >> table in pf. I have not tried it myself, but was looking at adopting >> an implementation to create a tarpit for spammers based on this idea. > > Yes Tim, I know it. The "problem" is the servers are builded in IPFW as > firewall solution. > I've tried the "limit" IPFW's option... but isn't exactly what I'm > looking for. Have a look at swatch in the ports, and build some rules that add blocking rules to the beginning of your firewall rule set. I've got servers running with > 3500 rules ;), and the box doesn't even notices it. (you can even/easily do things in perl embedded in the rules.) The best suggestion is of course to only let those in, you want to let in. Block others by default. I'm using the above scenario on public mailservers, with harvesting from the postgrey output. And from the ssh log output. --WjW