From owner-freebsd-questions@FreeBSD.ORG Tue Nov 4 23:21:28 2014 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id BDFEDB5C for ; Tue, 4 Nov 2014 23:21:28 +0000 (UTC) Received: from smtprelay-h21.telenor.se (smtprelay-h21.telenor.se [195.54.99.196]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4296BB3 for ; Tue, 4 Nov 2014 23:21:27 +0000 (UTC) Received: from ipb1.telenor.se (ipb1.telenor.se [195.54.127.164]) by smtprelay-h21.telenor.se (Postfix) with ESMTP id 7FCE9D5A5 for ; Wed, 5 Nov 2014 00:21:23 +0100 (CET) X-SENDER-IP: [83.227.225.121] X-LISTENER: [smtp.bredband.net] X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: AhQHAHZeWVRT4+F5PGdsb2JhbABbgw6BLddXFwEBAQEBAQUBAQEBODuEAwEBAQMDUyMQCw4KCSUPBRkMChoTiEUBxy4glESBHgWeDQGaSzwvgksBAQE X-IPAS-Result: AhQHAHZeWVRT4+F5PGdsb2JhbABbgw6BLddXFwEBAQEBAQUBAQEBODuEAwEBAQMDUyMQCw4KCSUPBRkMChoTiEUBxy4glESBHgWeDQGaSzwvgksBAQE X-IronPort-AV: E=Sophos;i="5.07,315,1413237600"; d="scan'208";a="106548677" Received: from ua-83-227-225-121.cust.bredbandsbolaget.se (HELO ymer.thorshammare.org) ([83.227.225.121]) by ipb1.telenor.se with ESMTP; 05 Nov 2014 00:21:22 +0100 Received: from ymer.thorshammare.org (localhost [127.0.0.1]) by ymer.thorshammare.org (8.14.9/8.14.9) with ESMTP id sA4NLFIW004275 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Wed, 5 Nov 2014 00:21:19 +0100 (CET) (envelope-from hasse@ymer.thorshammare.org) Received: (from root@localhost) by ymer.thorshammare.org (8.14.9/8.14.9/Submit) id sA4NLFQT004274; Wed, 5 Nov 2014 00:21:15 +0100 (CET) (envelope-from hasse) Date: Wed, 5 Nov 2014 00:21:15 +0100 From: Charlie Root To: Michael Ross Subject: Re: sshguard pf Message-ID: <20141104232115.GA3145@ymer.thorshammare.org> References: <20141102154444.GA42429@ymer.thorshammare.org> <54581F0E.4080404@a1poweruser.com> <20141104110202.GA37003@ymer.thorshammare.org> <44vbmv6kyp.fsf@lowell-desk.lan> <20141104193652.GA3062@ymer.thorshammare.org> <44oasm7l6f.fsf@lowell-desk.lan> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="x+6KMIRAuhnl3hBn" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.23 (2014-03-12) Cc: Lowell Gilbert , freebsd-questions@freebsd.org X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 04 Nov 2014 23:21:28 -0000 --x+6KMIRAuhnl3hBn Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Nov 04, 2014 at 10:56:32PM +0100, Michael Ross wrote: > On Tue, 04 Nov 2014 21:41:44 +0100, Lowell Gilbert =20 > wrote: >=20 > > Charlie Root writes: > > > >> Do "bruteblock" require me to run ipfw2 as my firewall ? > > > > Yes. That's why I mentioned that there are several other options, I just > > don't know them myself. > > > > Last I checked, bruteblock doesn't support IPv6 either, so one of these > > days I may have to check into the choices again. >=20 > For the record, I use fail2ban, > and setting it up was painless, and it will support pf. >=20 > Quick-How-To: >=20 > 1. Install fail2ban > 2. Create file /usr/local/etc/fail2ban/jail.local >=20 > [sshd] >=20 > enabled =3D true > action =3D pf > port =3D ssh > logpath =3D %(sshd_log)s >=20 >=20 > [sshd-ddos] >=20 > enabled =3D true > action =3D pf > port =3D ssh > logpath =3D %(sshd_log)s >=20 >=20 > 3. Modify /usr/local/etc/fail2ban/action.d/pf.conf > You need the correct path to pfctl in "actionban" and "actionunban" > and the correct tablename in the [Init] section at the end. >=20 > 4. service fail2ban onestart >=20 >=20 Thanks a lot everybody. Lots of good advice. Preciate all the help. Think I will give fail2ban another try with the above configuration. I've been running ossec-hids a while ago with great success, but feel like that's shooting mosquitos with a cannon in this case. /hasse --x+6KMIRAuhnl3hBn Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBAgAGBQJUWV9rAAoJEDCDGDmNzjqcHD4P/A0EL8gANprYFnyvjCwUu47p oiOf3jq9WFpLm4G6qBaLNsd2ihkid5NAT53MFABmmTJ18p12bfQRI3iP/ou5+f8x HjREt010LvJ5Q+s0W9Hf1j4uWFVjDEt3reagYrDnhtQZkdxWWh3LklDqxTzN3XUo 0g1/Dy8PRmMR302iw3rZR1yzxly/5VPJooJN+jU8byNHjrup5SBmClPjS89Y+3tr lt13ybMn+Ga1nhjI8thc8pCQm4GmLtkcxvmsW1z2YyCeyoLzQJIatgCbFcmo7H6T fAqnn9stuKt/cy5cQ9GzPCw8Odt967Rg87fx7Q66z+zcQyK1F1mJWAyV85FSVYj5 cf6BtBPqn2NwYpWSqA/2DE3J2bX9YtsO56CLRGk5FuhXOpkCPhkM9nd5OzPOlx+v KFQa6v1k0YBLdOnuJ4/5sJT92EYfx72zVjRMooRgSHA9iAokapIL9UnFUj2EPuBf 8L6COGePkxbUJRI4M4JSpl1vjOTJq6QjEOaXpWvrSuC2uQGUHRvtgqNkBmlPIHy3 v1MPGt9Dn0WnLNhk/xq8cqo6OSJLMfLyAxFp+7ACdf3c/IuIphCqFGPEYVRIqsTe tI5lUd5JUQrGOutX4PAop7OKMtyPWoDeeRWw3wRscSaDPsUiEsOQmyZ1IORZLV9A ZqmJsQzuFLjSdGpsvtS/ =6LC5 -----END PGP SIGNATURE----- --x+6KMIRAuhnl3hBn--