From owner-freebsd-pf@FreeBSD.ORG Tue Aug 25 15:30:53 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8D721106564A for ; Tue, 25 Aug 2009 15:30:53 +0000 (UTC) (envelope-from freebsd@optimis.net) Received: from mail.optimis.net (mail.optimis.net [69.104.191.124]) by mx1.freebsd.org (Postfix) with ESMTP id 400098FC1C for ; Tue, 25 Aug 2009 15:30:52 +0000 (UTC) Received: from marvin.optimis.net (marvin.optimis.net [192.168.1.3]) by mail.optimis.net (8.14.3/8.14.2) with ESMTP id n7PFIDtH021823 for ; Tue, 25 Aug 2009 08:18:13 -0700 (PDT) (envelope-from freebsd@optimis.net) Received: from marvin.optimis.net (localhost [127.0.0.1]) by marvin.optimis.net (8.14.3/8.14.3) with ESMTP id n7PFICmq075152 for ; Tue, 25 Aug 2009 08:18:12 -0700 (PDT) (envelope-from freebsd@optimis.net) Received: (from george@localhost) by marvin.optimis.net (8.14.3/8.14.3/Submit) id n7PFICgE075151 for freebsd-pf@freebsd.org; Tue, 25 Aug 2009 08:18:12 -0700 (PDT) (envelope-from freebsd@optimis.net) Date: Tue, 25 Aug 2009 08:18:12 -0700 From: George Davidovich To: freebsd-pf@freebsd.org Message-ID: <20090825151812.GA75010@marvin.optimis.net> References: <200908230132343.SM01728@W500.Go2France.com> <200908230340125.SM01728@W500.Go2France.com> <7731938b0908221957g2150a2f0p3263b6cab72bdf81@mail.gmail.com> <4A914FD1.7070500@bals.org> <200908231748187.SM01728@W500.Go2France.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200908231748187.SM01728@W500.Go2France.com> User-Agent: Mutt/1.5.19 (2009-01-05) Subject: Re: something like bruteblock for pf? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Aug 2009 15:30:53 -0000 On Sun, Aug 23, 2009 at 10:49:24AM -0500, Len Conrad wrote: > > n 08/22/2009 10:57 PM Peter Maxwell wrote: > > > 2009/8/23 Len Conrad : > > > > I'm looking for something like bruteblock that logwatches (smtp, > > > > ssh, ftp, whatever) and inserts/removes TCP block rules into pf > > > > for x hours, so the protocol daemons are involved. If you're looking for a general-purpose solution, see /usr/ports/sysutils/grok. The FreeBSD man cgi doesn't seem to want to show the manpage, so here's an alternate link for more information: http://www.semicomplete.com/projects/grok/ > > > Before implementing something like this, I would urge caution: if > > > what you're asking was actually of any use, someone else would > > > probably have done it properly. I can't imagine how log entries > > > from an ftp server, say, are going to be related to your smtp > > > server security? If it's a simple connection management, then > > > max-src-conn/max-src-conn-rate might be a more robust solution. > > > > http://johan.fredin.info/openbsd/block_ssh_bruteforce.html explains > > how to use max-src-conn-rate and expiretable. > > > > # pkg_info -x expiretable > > Information for expiretable-0.6: > > > > Comment: > > Utility to remove entries from the pf(4) table based on their age > > I have no problem putting IPs into pf, it's expiring them that was > blocking me, but expiretable fixes that. >From pfctl(8): -T command [address ...] Specify the command (may be abbreviated) to apply to the table. Commands include: ... -T expire number Delete addresses which had their statistics cleared more than number seconds ago. For entries which have never had their statistics cleared, number refers to the time they were added to the table. IIRC, the expire command was added in 7.0 or 7.1. -- George