From owner-freebsd-questions@FreeBSD.ORG Mon Sep 22 20:06:12 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 506C1106564A for ; Mon, 22 Sep 2008 20:06:12 +0000 (UTC) (envelope-from the.real.david.allen@gmail.com) Received: from wa-out-1112.google.com (wa-out-1112.google.com [209.85.146.177]) by mx1.freebsd.org (Postfix) with ESMTP id 2209F8FC0A for ; Mon, 22 Sep 2008 20:06:12 +0000 (UTC) (envelope-from the.real.david.allen@gmail.com) Received: by wa-out-1112.google.com with SMTP id j4so1114260wah.3 for ; Mon, 22 Sep 2008 13:06:11 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:in-reply-to:mime-version:content-type :content-transfer-encoding:content-disposition:references; bh=UKFOJZ3F2SOCC8FCC81Pv8iTahhuxfhpRgBCHUo6NdY=; b=XZwNr63sB+Ap/SBkBy47brQzvRxYYq7yi9BsmFBiP8HPib7h4VPXEKehLeu0auR+Lj YpWQ9ecXGNvwy5aNAtRFYIiCmgoMbHxp2tO82riIfhHm9x9eXnJEA1Sf/MPOP/ac/GPz aM1eeLhCyLPA0kPT1yhuB0Co1vFXBf4H36aGU= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:in-reply-to:mime-version :content-type:content-transfer-encoding:content-disposition :references; b=xyeYyV1InnjcePs7SF0+gYnP+inm8Q8+/fUHBv4JI0r6NthfsUFBm/uZskMFvYtHMA jtfLNVwLknrZvyuAdd6rdquWOdgMfdZONgYK9jP6cKsoWgtVW0H4yFIIavEINkEZNB3n R+Ng8+qMxnezSFBIazJXSWa4Txbi2P2Ec6Y/8= Received: by 10.115.75.14 with SMTP id c14mr5207810wal.45.1222113971911; Mon, 22 Sep 2008 13:06:11 -0700 (PDT) Received: by 10.114.47.16 with HTTP; Mon, 22 Sep 2008 13:06:11 -0700 (PDT) Message-ID: <2daa8b4e0809221306y3e8ebd4eg321377269ee2e1@mail.gmail.com> Date: Mon, 22 Sep 2008 13:06:11 -0700 From: "David Allen" To: freebsd-questions@freebsd.org In-Reply-To: <48D7D434.6080702@FreeBSD.org> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <2daa8b4e0809220817v10c4a657l6ee76f853a62b246@mail.gmail.com> <48D7D434.6080702@FreeBSD.org> Subject: Re: Dealing with portscans X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 22 Sep 2008 20:06:12 -0000 On 9/22/08, Greg Larkin wrote: > David Allen wrote: >> Over the last few weeks I've been getting numerous ports scans, each from >> unique hosts. The situation is more of an annoyance than anything else, >> but I would prefer not seeing or having to deal with an extra 20-30K >> entries in my logs as was the case recently. >> >> I use pf for firewalling, and while it does offer different methods >> (max-src-conn, max-src-conn-rate, etc.) for dealing with abusive hosts, it >> doesn't seem to offer much in the way of dealing with repeated blocked >> (non-stateful) connection attempts from a given host. >> >> Short of running something like snort, is there a suitable tool for >> dealing with this? If not, I'll probably resort to running a cronjob to >> parse the logfile and add the offending hosts manually. > > Hi David, > > You might want to try security/portsentry from the ports tree. It's a > bit dated, and it has no maintainer at the moment, but a cursory glance > at it tells me it might work for you. It supports pf for blocking > connections once your trigger conditions are met. I'll give it a try. FWIW, I did discover that parsing the log files to get a list of offending hosts (denied a number of times above a given certain threshold) wasn't really as slow or troublesome as I thought. That slightly hackish approach might be useful for port scans in addition to the various rubbish I get sent. Thanks to both you and Jeff Laine for the replies.