From owner-freebsd-questions@FreeBSD.ORG Thu Sep 18 02:35:05 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 06F611065676 for ; Thu, 18 Sep 2008 02:35:05 +0000 (UTC) (envelope-from agus.262@gmail.com) Received: from rv-out-0506.google.com (rv-out-0506.google.com [209.85.198.229]) by mx1.freebsd.org (Postfix) with ESMTP id CCAD48FC13 for ; Thu, 18 Sep 2008 02:35:04 +0000 (UTC) (envelope-from agus.262@gmail.com) Received: by rv-out-0506.google.com with SMTP id b25so4497521rvf.43 for ; Wed, 17 Sep 2008 19:35:04 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:cc:in-reply-to:mime-version:content-type :content-transfer-encoding:content-disposition:references; bh=JNneF9ftuXmr7zg+Pnvhv+NlVYjC0gc09w5wMl82ezc=; b=oqHnkmUL0J1JMWnO+H+o+WJ2+w0pm4LPnmXGywLQfFhZMyb615zLwmlP7joeT0dMtU LlmRVKoCbM1RMgpsMc6bZIT/8sOG4ruuVNRs3TIanjQvTiiq/oxKAY2vrwa97BqwUAUc SfP77IWi/wUhBFJyqKxjXSfq/s919BIgmvPGw= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:cc:in-reply-to:mime-version :content-type:content-transfer-encoding:content-disposition :references; b=NvrPFMQzwKTVUOxC7RkejLjggX1U40xWTXk86fxV/kKOToO0V4JrlN2G9cc4xdMkfX pAk7vveEDoY9Zcu6RxwpOrSJ11gloF1VDb54Z7xQuwHzP99zGRY4jnQhriqIOWHJphVf GQ93THv+vZXa7Jng0KDPBIyt0DI2sGZr2i4P0= Received: by 10.140.161.11 with SMTP id j11mr7056607rve.134.1221705304527; Wed, 17 Sep 2008 19:35:04 -0700 (PDT) Received: by 10.141.189.14 with HTTP; Wed, 17 Sep 2008 19:35:04 -0700 (PDT) Message-ID: Date: Wed, 17 Sep 2008 23:35:04 -0300 From: Agus To: Mel In-Reply-To: <200809180149.17189.fbsd.questions@rachie.is-a-geek.net> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <14143EECEC1CC52A4BC39AC3@ganymede.hub.org> <200809180149.17189.fbsd.questions@rachie.is-a-geek.net> Cc: "Marc G. Fournier" , freebsd-questions@freebsd.org Subject: Re: Auto blacklist ssh connections ... X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 18 Sep 2008 02:35:05 -0000 2008/9/17 Mel : > On Thursday 18 September 2008 01:15:45 Marc G. Fournier wrote: >> Does anyone know of a utility that I can use with sshd to auto-block by IP >> if there are more then N failed attempts in a row? > > # crontab -l > @reboot /usr/sbin/daemon -p /var/run/grok-ssh.pid /usr/local/bin/grok -f /etc/pf/grok-ssh.conf > > # grep -- -0F /usr/local/bin/grok > my $TAIL = "/usr/bin/tail -0F"; > > ^^^^ so that newsyslog doesn't interfere. > > $ cat /etc/pf/grok-ssh.conf > file "/var/log/auth.log" { > type "ssh-illegal-user" { > match = "Invalid user %USERNAME% from %IP%"; > threshold = 5; # 5 hits ... > key = "%IP%"; # from a single ip ... > interval = 60; # in 1 minutes > reaction = "/root/bin/pfscanners %IP%"; # permanent > }; > > type "ssh-scan-possible" { > match = "Did not receive identification string from %IP%"; > threshold = 3; > interval = 60; > reaction = "/sbin/pfctl -t scanners -Tadd %IP%"; #temporary > }; > }; > > $ cat /root/bin/pfscanners > #!/bin/sh > > while( test ! -z "$1" ); do > /sbin/pfctl -t scanners -Tadd $1 > echo $1 >> /etc/pf/scanners.table > shift > done > > $ grep scanners /etc/pf.conf > table persist file "/etc/pf/scanners.table" > block in log on $ext_if from > > -- > Mel > > Problem with today's modular software: they start with the modules > and never get to the software part. > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" > Cool utilities..:) Also you may consider if you want to watch another logs and alert you about that...you should try sec.pl....its in the ports... Very configurable and helps you with all your logs you want.... >From there you could add it to the hosts.allow or you could lunch a script or a FW rule... Cheers, Agustin