From owner-freebsd-stable@FreeBSD.ORG Fri Feb 17 04:07:59 2006 Return-Path: X-Original-To: freebsd-stable@freebsd.org Delivered-To: freebsd-stable@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 377CA16A420 for ; Fri, 17 Feb 2006 04:07:59 +0000 (GMT) (envelope-from carl@xena.IPAustralia.gov.au) Received: from twonetom19.sge.net (twonetom19.sge.net [152.91.2.19]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7161A43D46 for ; Fri, 17 Feb 2006 04:07:57 +0000 (GMT) (envelope-from carl@xena.IPAustralia.gov.au) Received: from twonetvs10.sge.net (twonetvs-om [152.91.2.17]) by twonetom19.sge.net (Postfix) with ESMTP id E406BB376; Fri, 17 Feb 2006 15:07:55 +1100 (EST) Received: from twonetvs10.sge.net (localhost [127.0.0.1]) by localhost (Postfix) with ESMTP id C19402C898; Fri, 17 Feb 2006 15:07:55 +1100 (EST) Received: from twonetim2.sge.net (twonetim-vs.sge.net [152.91.2.9]) by twonetvs10.sge.net (Postfix) with ESMTP id ACAFD2C866; Fri, 17 Feb 2006 15:07:55 +1100 (EST) Received: from guinness.lyn.gwy (unknown [152.91.9.242]) by twonetim2.sge.net (Postfix) with SMTP id 66F4AA9C6; Fri, 17 Feb 2006 15:07:55 +1100 (EST) Received: from vmail.aipo.gov.au (mail-in.ipa.lyn.gwy [192.168.254.253]) by guinness.lyn.gwy with ESMTP id k1H47tuC001976; Fri, 17 Feb 2006 15:07:55 +1100 (EST) Received: from xena.aipo.gov.au (xena.aipo.gov.au [10.0.100.52]) by vmail.aipo.gov.au (8.13.3/8.13.3) with ESMTP id k1H47tMG025024; Fri, 17 Feb 2006 15:07:55 +1100 (EST) (envelope-from carl@xena.IPAustralia.gov.au) Received: from [10.0.4.99] (WS11548.aipo.gov.au [10.0.4.99]) by xena.aipo.gov.au (8.13.1/8.12.9) with ESMTP id k1H47rmj028840; Fri, 17 Feb 2006 15:07:54 +1100 (EST) (envelope-from carl@xena.ipaustralia.gov.au) Message-ID: <43F54C18.5000704@xena.ipaustralia.gov.au> Date: Fri, 17 Feb 2006 15:07:52 +1100 From: Carl Makin User-Agent: Thunderbird 1.5 (Macintosh/20051201) MIME-Version: 1.0 To: Atanas References: <59e2ee810512250841t75157e62rec9dc389ac716534@mail.gmail.com> <20051227101621.GA16276@walton.maths.tcd.ie> <86irrfoix5.fsf@xps.des.no> <43F4E3B0.1090806@asd.aplus.net> <43F514BD.608@cytexbg.com> <43F5322C.1090603@asd.aplus.net> In-Reply-To: <43F5322C.1090603@asd.aplus.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Scanned-By: MIMEDefang 2.51 on 10.0.100.191 Cc: freebsd-stable@freebsd.org Subject: Re: SSH login takes very long time...sometimes X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 17 Feb 2006 04:07:59 -0000 Hi Atanas, Atanas wrote: > Does anybody know whether ipfw (or something else within FreeBSD-4) is > capable of setting connection rate limits? I'm using SEC to monitor the auth.log file and block any IP addresses that fail a password 3 times within 60 seconds. I use the following sec.conf file; ------------------------------------------------ type=SingleWithThreshold ptype=RegExp pattern=Failed password for (\S+) from (\S+) port (\S+) ssh2 desc=SSH attack from $2 action=shellcmd /usr/local/bin/ipfwadd.sh "$2" ; pipe 'Failed password for $1 from $2' /usr/bin/mail -s 'SSH Attack from $2' your@email.address window=60 thresh=3 type=SingleWithThreshold ptype=RegExp pattern=Illegal user (\S+) from (\S+) desc=SSH attack from $2 action=shellcmd /usr/local/bin/ipfwadd.sh "$2" ; pipe 'Illegal user $1 from $2' /usr/bin/mail -s 'SSH Attack from $2' your@email.address window=60 thresh=3 --------------------------------------------------------------------- and I'm still using ipfw so ipfwadd.sh looks like this; -------------------------------------------------------------------- #!/bin/sh /sbin/ipfw -q add 15 deny ip from $1 to any in via tun0 -------------------------------------------------------------------- and run it with sec -conf=/usr/local/etc/sec.conf -input=/var/log/auth.log -pid=/var/run/sec.pid -detach Hope this helps, Carl.