Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 17 Dec 2009 17:34:22 -0800
From:      Brandon Low <lostlogic@lostlogicx.com>
To:        freebsd-questions@freebsd.org
Subject:   RFC: Fam/Python based script for bruteforce blocking
Message-ID:  <20091218013422.GI73162@lostlogicx.com>

next in thread | raw e-mail | index | archive | help

--17pEHd4RhPHOinZp
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

Hi,

I'm pretty new to FreeBSD, but when I saw how neatly it supported
file-backed tables for IP blocking I knew I'd finally want to build a
bruteforce blocking script that I'd long wanted to create on Linux.

This script is loosely based on the perl script for the same purpose
from http://home.earthlink.net/~valiantsoul/pf.html .

My script, in contrast to the above, runs as a daemon and is completely
self contained other than the blacklist file.  Of course it's up to the
user to create the bruteforce table in pf and to do something useful
with it, but once that's done just running the bruteforce.py daemon will
take care of the rest.  I've attached the script and my pf.conf.  The
only other requirements other than python are py-fam and (of course)
a configured fam.

I'd love to hear other people's feedback on this approach of using FAM +
auth.log to implement this and/or to hear of other superior approaches
to achieving this result.

Thanks for reading,

--Brandon

--17pEHd4RhPHOinZp
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="pf.conf"

table <bruteforce> persist file "/var/db/blacklist"
table <safe> persist file "/var/db/friendlist"
block in all
pass in on nfe0 proto tcp from any to any port 22 keep state
pass in on nfe0 proto tcp from any to any port 80 keep state
pass in on nfe0 proto tcp from any to any port 443 keep state
pass in on nfe0 proto tcp from any to any port 25 keep state
pass in on nfe0 proto tcp from any to any port 465 keep state
pass in on nfe0 proto tcp from any to any port 993 keep state
pass in on nfe0 proto udp from any to any port 53
pass in on nfe0 proto tcp from any to any port 53 keep state
pass in on nfe0 proto udp from any to any port 123
pass in on nfe0 proto icmp
block from <bruteforce>
pass from <safe>
pass on lo0
pass out all keep state

--17pEHd4RhPHOinZp--



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20091218013422.GI73162>