From owner-freebsd-questions@FreeBSD.ORG Sat Dec 19 12:38:30 2009 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 41504106566B for ; Sat, 19 Dec 2009 12:38:30 +0000 (UTC) (envelope-from mel.flynn+fbsd.questions@mailing.thruhere.net) Received: from mailhub.rachie.is-a-geek.net (rachie.is-a-geek.net [66.230.99.27]) by mx1.freebsd.org (Postfix) with ESMTP id 11A338FC12 for ; Sat, 19 Dec 2009 12:38:29 +0000 (UTC) Received: from smoochies.rachie.is-a-geek.net (mailhub.lan.rachie.is-a-geek.net [192.168.2.11]) by mailhub.rachie.is-a-geek.net (Postfix) with ESMTP id DD0597E818; Sat, 19 Dec 2009 03:38:28 -0900 (AKST) From: Mel Flynn To: freebsd-questions@freebsd.org Date: Sat, 19 Dec 2009 03:38:26 -0900 User-Agent: KMail/1.12.1 (FreeBSD/8.0-STABLE; KDE/4.3.1; i386; ; ) References: <20091218013422.GI73162@lostlogicx.com> In-Reply-To: <20091218013422.GI73162@lostlogicx.com> MIME-Version: 1.0 Content-Type: Text/Plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Message-Id: <200912190338.26709.mel.flynn+fbsd.questions@mailing.thruhere.net> Cc: Brandon Low Subject: Re: RFC: Fam/Python based script for bruteforce blocking X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 19 Dec 2009 12:38:30 -0000 On Thursday 17 December 2009 16:34:22 Brandon Low wrote: > I'd love to hear other people's feedback on this approach of using FAM + > auth.log to implement this and/or to hear of other superior approaches > to achieving this result. Well, my first problem with it is obviously that I now need python, where I don't want python. In fact, my firewalls/gateways only have /bin/sh and /bin/csh as scripting languages. It's one reason I switched from custom sysutils/grok rules to using security/sshguard - it got me rid of perl. Secondly, you have matching rules coded in the script. If there would be one reason to prefer this script over sshguard, it would be that I can add attack patterns more easily, in config file with a syntax that's not too obscure. Last but not least, you assume that once an IP is at fault, I want that IP blocked permanently. In practice you end up with an extremely large table that might eventually be too big for a default PF table and recurring scans from the same IP are not that common (you see the IP in a 12-24 hour window, then not again). Hope this helps. -- Mel