From owner-freebsd-ipfw@FreeBSD.ORG  Tue Oct  4 01:19:03 2005
Return-Path: <owner-freebsd-ipfw@FreeBSD.ORG>
X-Original-To: freebsd-ipfw@freebsd.org
Delivered-To: freebsd-ipfw@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 8817D16A41F
	for <freebsd-ipfw@freebsd.org>; Tue,  4 Oct 2005 01:19:03 +0000 (GMT)
	(envelope-from on@cs.ait.ac.th)
Received: from mail.cs.ait.ac.th (mail.cs.ait.ac.th [192.41.170.16])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 865E343D45
	for <freebsd-ipfw@freebsd.org>; Tue,  4 Oct 2005 01:19:01 +0000 (GMT)
	(envelope-from on@cs.ait.ac.th)
Received: from banyan.cs.ait.ac.th (banyan.cs.ait.ac.th [192.41.170.5])
	by mail.cs.ait.ac.th (8.12.11/8.12.11) with ESMTP id j941GboN025884
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO);
	Tue, 4 Oct 2005 08:16:37 +0700 (ICT)
Received: (from on@localhost)
	by banyan.cs.ait.ac.th (8.13.1/8.12.11) id j941FmTm040763;
	Tue, 4 Oct 2005 08:15:48 +0700 (ICT)
Date: Tue, 4 Oct 2005 08:15:48 +0700 (ICT)
Message-Id: <200510040115.j941FmTm040763@banyan.cs.ait.ac.th>
From: Olivier Nicole <on@cs.ait.ac.th>
To: nb_root@videotron.ca
In-reply-to: <200510031816.26658.nb_root@videotron.ca> (message from Nicolas
	Blais on Mon, 03 Oct 2005 18:16:16 -0400)
References: <200510031816.26658.nb_root@videotron.ca>
X-Virus-Scanned: on CSIM by amavisd-milter (http://www.amavis.org/)
Cc: freebsd-ipfw@freebsd.org
Subject: Re: Automatically add attacks to deny list?
X-BeenThere: freebsd-ipfw@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: IPFW Technical Discussions <freebsd-ipfw.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ipfw>
List-Post: <mailto:freebsd-ipfw@freebsd.org>
List-Help: <mailto:freebsd-ipfw-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 04 Oct 2005 01:19:03 -0000

> Whenever someone tries a portscan or http server vulnerability scan on my=20
> system, I have to manually add their ip in my /etc/ipfw.conf file such as:
> add 100 deny all from xx.xxx.xxx.xxx to any
> 
> Is there a way, without enabling blackhole, to dynamically add ips to my=20
> blacklist after a certain packet/sec limit or some other way?

I'd say that the problem is not to find how to do that, but to decide
whether it is a good thing to automatically deny an IP.

There must be some plugin to snort that do what you want, but the risk
is either your filtering is too soft and you miss blocking some IP or
too harsh and you block some legitimate traffic.

Olivier