From owner-freebsd-questions@FreeBSD.ORG Mon Sep 22 17:29:11 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E0901106567E for ; Mon, 22 Sep 2008 17:29:11 +0000 (UTC) (envelope-from wtf.jlaine@gmail.com) Received: from wa-out-1112.google.com (wa-out-1112.google.com [209.85.146.177]) by mx1.freebsd.org (Postfix) with ESMTP id B4CC28FC0C for ; Mon, 22 Sep 2008 17:29:11 +0000 (UTC) (envelope-from wtf.jlaine@gmail.com) Received: by wa-out-1112.google.com with SMTP id j4so1077375wah.3 for ; Mon, 22 Sep 2008 10:29:11 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:cc:in-reply-to:mime-version:content-type :content-transfer-encoding:content-disposition:references; bh=TvIyNCC84qdR0mikFqBGItmm2jYhlI0b6shcXtcFpHc=; b=L6pqQNZJwSqbiERFsuLjf4TiOel6rXjq8WsFN/JWM35V2KaHIqoKqjCAysxVf7K3mY /P1Eg4GIkurAovKi5AM1/O3/jGCJV7OwGkfmQirLCFRq0XKSVFDdjWlFq57+AXH+Orpa s/q8nX6kh2MAwaNK3G/TWxsqfVwronOfjV2L8= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:cc:in-reply-to:mime-version :content-type:content-transfer-encoding:content-disposition :references; b=MAzQvwUngIWkzVKBAVp1ayGhQQJWoY8i3H58t6nKwEyKGtpeut85sCM3i1YdMCCBO+ Ixe9bPHASIbsqNypHPsDt52jZEQ/KAHOAGCcrK/JuDc/iLoOm9TePWOBKv8lLkmzeL7H qXLnnczGCnCvajK2AS8HPny6Wu3SDlKPIQCRk= Received: by 10.115.50.5 with SMTP id c5mr4880528wak.192.1222103032183; Mon, 22 Sep 2008 10:03:52 -0700 (PDT) Received: by 10.114.182.3 with HTTP; Mon, 22 Sep 2008 10:03:52 -0700 (PDT) Message-ID: <2b98f2f70809221003k457b5117v774695e369536242@mail.gmail.com> Date: Mon, 22 Sep 2008 21:03:52 +0400 From: "Jeff Laine" To: "David Allen" In-Reply-To: <2daa8b4e0809220817v10c4a657l6ee76f853a62b246@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <2daa8b4e0809220817v10c4a657l6ee76f853a62b246@mail.gmail.com> Cc: freebsd-questions@freebsd.org Subject: Re: Dealing with portscans X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 22 Sep 2008 17:29:12 -0000 2008/9/22 David Allen : > Over the last few weeks I've been getting numerous ports scans, each from > unique hosts. The situation is more of an annoyance than anything else, > but I would prefer not seeing or having to deal with an extra 20-30K > entries in my logs as was the case recently. > > I use pf for firewalling, and while it does offer different methods > (max-src-conn, max-src-conn-rate, etc.) for dealing with abusive hosts, it > doesn't seem to offer much in the way of dealing with repeated blocked > (non-stateful) connection attempts from a given host. > > Short of running something like snort, is there a suitable tool for > dealing with this? If not, I'll probably resort to running a cronjob to > parse the logfile and add the offending hosts manually. Give a try for portsentry from ports collection. -- --Jeff--