From owner-freebsd-security@FreeBSD.ORG Tue Jan 22 00:40:15 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E7D4116A418 for ; Tue, 22 Jan 2008 00:40:15 +0000 (UTC) (envelope-from mouss@netoyen.net) Received: from balou.adapsec.com (balou.adapsec.com [91.121.103.130]) by mx1.freebsd.org (Postfix) with ESMTP id A6E2F13C44B for ; Tue, 22 Jan 2008 00:40:15 +0000 (UTC) (envelope-from mouss@netoyen.net) X-Virus-Scanned: amavisd-new at netoyen.net Received: from [192.168.1.65] (ouzoud.netoyen.net [82.239.111.75]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: mouss@netoyen.net) by balou.adapsec.com (Postfix) with ESMTPSA id 542804BFC486 for ; Tue, 22 Jan 2008 01:34:38 +0100 (CET) Message-ID: <47953A02.6030306@netoyen.net> Date: Tue, 22 Jan 2008 01:34:10 +0100 From: mouss User-Agent: Thunderbird 2.0.0.6 (Windows/20070728) MIME-Version: 1.0 To: freebsd-security@freebsd.org References: <47946AD3.2020601@opengea.org> <200801211226.51852.tim@priebe.alt.na> <47947587.2010106@opengea.org> <4794922F.8090009@digiware.nl> In-Reply-To: <4794922F.8090009@digiware.nl> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: denyhosts-like app for MySQLd? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Jan 2008 00:40:16 -0000 Willem Jan Withagen wrote: > Jordi Espasa Clofent wrote: >>> Hi, >>> >>> There is a functionality in pf, that allows you to have an >>> application to update a list of hosts, that is used in a rule. You >>> could have a script harvest the addresses from your log files, and >>> then update the table in pf. I have not tried it myself, but was >>> looking at adopting an implementation to create a tarpit for >>> spammers based on this idea. >> >> Yes Tim, I know it. The "problem" is the servers are builded in IPFW as >> firewall solution. >> I've tried the "limit" IPFW's option... but isn't exactly what I'm >> looking for. > > Have a look at swatch in the ports, and build some rules that add > blocking rules to the beginning of your firewall rule set. > I've got servers running with > 3500 rules ;), and the box doesn't > even notices it. > (you can even/easily do things in perl embedded in the rules.) make sure to parse the logs "strictly". consider this: # mysql -h yourserver -u foo\'@\'10.1.2.3.4\' ... Access denied for user 'foo'@'10.1.2.3.4''@'yourip' (using password: NO) so you'd better pick the right IP here. > > The best suggestion is of course to only let those in, you want to let > in. Block others by default. > > I'm using the above scenario on public mailservers, with harvesting > from the postgrey output. And from the ssh log output. > > --WjW > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to > "freebsd-security-unsubscribe@freebsd.org"