Date: Thu, 21 Aug 2008 16:42:34 -0400 From: Michael Butler <imb@protected-networks.net> To: freebsd-stable@FreeBSD.org Cc: freebsd-security@freebsd.org Subject: Re: machine hangs on occasion - correlated with ssh break-in attempts Message-ID: <48ADD33A.9030907@protected-networks.net> In-Reply-To: <48ADCDAD.80507@gmail.com> References: <48ADA81E.7090106@aldan.algebra.com> <48ADCDAD.80507@gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
I do something related to this with fwlogwatch although it can probably
be adapted to any similar tool; when I hit the 'block' threshold, I
execute something like:
#!/bin/sh
HR=`date "+%-k"`
/sbin/ipfw table 0 add $3 ${HR}
.. so each entry has a tag indicating the hour at which the block was
initiated.
At 5 to the hour, I run a simple cron job which does this to clean out
everything older than 24 hours ..
#!/bin/sh
HR=`date -v+1H "+%-k"`
/sbin/ipfw table 0 list >/tmp/xx.$$
cat /tmp/xx.$$ |
while read LINE
do
set $LINE
case "$2" in
${HR})
/sbin/ipfw table 0 delete $1
echo -n `date +"%H:%M:%S"` >>/var/log/fwlw_clean_log
echo " fwlw_clean: removed $1 from table 0"
>>/var/log/fwlw_clean_log
esac
done
rm /tmp/xx.$$
I also have a script in /usr/local/etc/rc.d which saves the current
state in the event of an orderly shutdown and restores it on boot:
#!/bin/sh
case "$1" in
start)
cat /var/db/ipfw/cache0 | while read LINE
do
set $LINE
/sbin/ipfw table 0 add $1 $2
done
;;
stop)
/sbin/ipfw table 0 list >/var/db/ipfw/cache0
;;
restart)
$0 $DEBUG stop
$0 $DEBUG start
exit $?
;;
*)
echo "Usage: $0 {start|stop|restart}"
exit 1
;;
esac
exit 0
Of course, this only works for ipv4 because of the restriction on the
ipfw table data but it's just an example,
Michael
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?48ADD33A.9030907>