Date: Tue, 22 Jan 2008 01:34:10 +0100 From: mouss <mouss@netoyen.net> To: freebsd-security@freebsd.org Subject: Re: denyhosts-like app for MySQLd? Message-ID: <47953A02.6030306@netoyen.net> In-Reply-To: <4794922F.8090009@digiware.nl> References: <47946AD3.2020601@opengea.org> <200801211226.51852.tim@priebe.alt.na> <47947587.2010106@opengea.org> <4794922F.8090009@digiware.nl>
next in thread | previous in thread | raw e-mail | index | archive | help
Willem Jan Withagen wrote: > Jordi Espasa Clofent wrote: >>> Hi, >>> >>> There is a functionality in pf, that allows you to have an >>> application to update a list of hosts, that is used in a rule. You >>> could have a script harvest the addresses from your log files, and >>> then update the table in pf. I have not tried it myself, but was >>> looking at adopting an implementation to create a tarpit for >>> spammers based on this idea. >> >> Yes Tim, I know it. The "problem" is the servers are builded in IPFW as >> firewall solution. >> I've tried the "limit" IPFW's option... but isn't exactly what I'm >> looking for. > > Have a look at swatch in the ports, and build some rules that add > blocking rules to the beginning of your firewall rule set. > I've got servers running with > 3500 rules ;), and the box doesn't > even notices it. > (you can even/easily do things in perl embedded in the rules.) make sure to parse the logs "strictly". consider this: # mysql -h yourserver -u foo\'@\'10.1.2.3.4\' ... Access denied for user 'foo'@'10.1.2.3.4''@'yourip' (using password: NO) so you'd better pick the right IP here. > > The best suggestion is of course to only let those in, you want to let > in. Block others by default. > > I'm using the above scenario on public mailservers, with harvesting > from the postgrey output. And from the ssh log output. > > --WjW > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to > "freebsd-security-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?47953A02.6030306>