Date: Thu, 18 Sep 2008 01:49:16 +0200 From: Mel <fbsd.questions@rachie.is-a-geek.net> To: freebsd-questions@freebsd.org Cc: "Marc G. Fournier" <scrappy@hub.org> Subject: Re: Auto blacklist ssh connections ... Message-ID: <200809180149.17189.fbsd.questions@rachie.is-a-geek.net> In-Reply-To: <14143EECEC1CC52A4BC39AC3@ganymede.hub.org> References: <14143EECEC1CC52A4BC39AC3@ganymede.hub.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thursday 18 September 2008 01:15:45 Marc G. Fournier wrote:
> Does anyone know of a utility that I can use with sshd to auto-block by IP
> if there are more then N failed attempts in a row?
# crontab -l
@reboot /usr/sbin/daemon -p /var/run/grok-ssh.pid /usr/local/bin/grok -f /etc/pf/grok-ssh.conf
# grep -- -0F /usr/local/bin/grok
my $TAIL = "/usr/bin/tail -0F";
^^^^ so that newsyslog doesn't interfere.
$ cat /etc/pf/grok-ssh.conf
file "/var/log/auth.log" {
type "ssh-illegal-user" {
match = "Invalid user %USERNAME% from %IP%";
threshold = 5; # 5 hits ...
key = "%IP%"; # from a single ip ...
interval = 60; # in 1 minutes
reaction = "/root/bin/pfscanners %IP%"; # permanent
};
type "ssh-scan-possible" {
match = "Did not receive identification string from %IP%";
threshold = 3;
interval = 60;
reaction = "/sbin/pfctl -t scanners -Tadd %IP%"; #temporary
};
};
$ cat /root/bin/pfscanners
#!/bin/sh
while( test ! -z "$1" ); do
/sbin/pfctl -t scanners -Tadd $1
echo $1 >> /etc/pf/scanners.table
shift
done
$ grep scanners /etc/pf.conf
table <scanners> persist file "/etc/pf/scanners.table"
block in log on $ext_if from <scanners>
--
Mel
Problem with today's modular software: they start with the modules
and never get to the software part.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200809180149.17189.fbsd.questions>