From owner-freebsd-questions@FreeBSD.ORG Thu Sep 18 00:08:17 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9C7FD1065671 for ; Thu, 18 Sep 2008 00:08:17 +0000 (UTC) (envelope-from fbsd.questions@rachie.is-a-geek.net) Received: from mail.rachie.is-a-geek.net (rachie.is-a-geek.net [66.230.99.27]) by mx1.freebsd.org (Postfix) with ESMTP id 6B3BE8FC08 for ; Thu, 18 Sep 2008 00:08:17 +0000 (UTC) (envelope-from fbsd.questions@rachie.is-a-geek.net) Received: from localhost (mail.rachie.is-a-geek.net [192.168.2.101]) by mail.rachie.is-a-geek.net (Postfix) with ESMTP id 052CBAFBC4A; Wed, 17 Sep 2008 15:49:38 -0800 (AKDT) From: Mel To: freebsd-questions@freebsd.org Date: Thu, 18 Sep 2008 01:49:16 +0200 User-Agent: KMail/1.9.7 References: <14143EECEC1CC52A4BC39AC3@ganymede.hub.org> In-Reply-To: <14143EECEC1CC52A4BC39AC3@ganymede.hub.org> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200809180149.17189.fbsd.questions@rachie.is-a-geek.net> Cc: "Marc G. Fournier" Subject: Re: Auto blacklist ssh connections ... X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 18 Sep 2008 00:08:17 -0000 On Thursday 18 September 2008 01:15:45 Marc G. Fournier wrote: > Does anyone know of a utility that I can use with sshd to auto-block by IP > if there are more then N failed attempts in a row? # crontab -l @reboot /usr/sbin/daemon -p /var/run/grok-ssh.pid /usr/local/bin/grok -f /etc/pf/grok-ssh.conf # grep -- -0F /usr/local/bin/grok my $TAIL = "/usr/bin/tail -0F"; ^^^^ so that newsyslog doesn't interfere. $ cat /etc/pf/grok-ssh.conf file "/var/log/auth.log" { type "ssh-illegal-user" { match = "Invalid user %USERNAME% from %IP%"; threshold = 5; # 5 hits ... key = "%IP%"; # from a single ip ... interval = 60; # in 1 minutes reaction = "/root/bin/pfscanners %IP%"; # permanent }; type "ssh-scan-possible" { match = "Did not receive identification string from %IP%"; threshold = 3; interval = 60; reaction = "/sbin/pfctl -t scanners -Tadd %IP%"; #temporary }; }; $ cat /root/bin/pfscanners #!/bin/sh while( test ! -z "$1" ); do /sbin/pfctl -t scanners -Tadd $1 echo $1 >> /etc/pf/scanners.table shift done $ grep scanners /etc/pf.conf table persist file "/etc/pf/scanners.table" block in log on $ext_if from -- Mel Problem with today's modular software: they start with the modules and never get to the software part.