From owner-freebsd-questions@FreeBSD.ORG Fri Dec 18 01:34:22 2009 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E20061065672 for ; Fri, 18 Dec 2009 01:34:22 +0000 (UTC) (envelope-from lostlogic@lostlogicx.com) Received: from erudite.lostlogicx.com (erudite.lostlogicx.com [74.208.67.179]) by mx1.freebsd.org (Postfix) with ESMTP id B1F108FC19 for ; Fri, 18 Dec 2009 01:34:22 +0000 (UTC) Received: by erudite.lostlogicx.com (Postfix, from userid 1001) id 36C1A279D3; Thu, 17 Dec 2009 17:34:22 -0800 (PST) Date: Thu, 17 Dec 2009 17:34:22 -0800 From: Brandon Low To: freebsd-questions@freebsd.org Message-ID: <20091218013422.GI73162@lostlogicx.com> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="17pEHd4RhPHOinZp" Content-Disposition: inline X-Operating-System: FreeBSD 8.0-RELEASE amd64 User-Agent: Mutt/1.5.20 (2009-06-14) X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: RFC: Fam/Python based script for bruteforce blocking X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 Dec 2009 01:34:23 -0000 --17pEHd4RhPHOinZp Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Hi, I'm pretty new to FreeBSD, but when I saw how neatly it supported file-backed tables for IP blocking I knew I'd finally want to build a bruteforce blocking script that I'd long wanted to create on Linux. This script is loosely based on the perl script for the same purpose from http://home.earthlink.net/~valiantsoul/pf.html . My script, in contrast to the above, runs as a daemon and is completely self contained other than the blacklist file. Of course it's up to the user to create the bruteforce table in pf and to do something useful with it, but once that's done just running the bruteforce.py daemon will take care of the rest. I've attached the script and my pf.conf. The only other requirements other than python are py-fam and (of course) a configured fam. I'd love to hear other people's feedback on this approach of using FAM + auth.log to implement this and/or to hear of other superior approaches to achieving this result. Thanks for reading, --Brandon --17pEHd4RhPHOinZp Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="pf.conf" table persist file "/var/db/blacklist" table persist file "/var/db/friendlist" block in all pass in on nfe0 proto tcp from any to any port 22 keep state pass in on nfe0 proto tcp from any to any port 80 keep state pass in on nfe0 proto tcp from any to any port 443 keep state pass in on nfe0 proto tcp from any to any port 25 keep state pass in on nfe0 proto tcp from any to any port 465 keep state pass in on nfe0 proto tcp from any to any port 993 keep state pass in on nfe0 proto udp from any to any port 53 pass in on nfe0 proto tcp from any to any port 53 keep state pass in on nfe0 proto udp from any to any port 123 pass in on nfe0 proto icmp block from pass from pass on lo0 pass out all keep state --17pEHd4RhPHOinZp--