Date: Fri, 08 Apr 2005 21:39:20 +0200 From: Chris <rip@overflow.no> To: freebsd-security@freebsd.org Subject: Re: What is this Very Stupid DOS Attack Script? Message-ID: <1112989160.4471.19.camel@magic.shrooms> In-Reply-To: <6.1.2.0.2.20050408120501.103c99c8@mail.llnl.gov> References: <200504061549.j36Fn8Y5082507@dc.cis.okstate.edu> <425406ED.5060400@withagen.nl> <4100.212.12.51.89.1112804356.squirrel@212.12.51.89> <4255D022.9040205@nsu.nova.edu> <6.1.2.0.2.20050408120501.103c99c8@mail.llnl.gov>
next in thread | previous in thread | raw e-mail | index | archive | help
--=-dWoQSALcmsLjKeMDpr+u Content-Type: text/plain Content-Transfer-Encoding: quoted-printable This might not be exactly what you want, but solution to this might be timelox by brian. It has a definable action to take when an IP attempts X logins in N seconds. I've modified his timelox-code for openbsd to suit openssh portable 3.9p1/4.0p1 (linux/freebsd). I will try to keep this up to date with the openssh-portable tree. You can find it at http://www.overflow.no/?p=3Dhacking The next version will have a sshd_config setting for a script to run on this event, to improve portability basicly.=20 This prolly isn't the best solution, but it works pretty good. If blocking out all of the world is a concern just add a cronjob for root to clear the rules one a week or something like that. :) On Fri, 2005-04-08 at 12:07 -0700, Michael Carlson wrote: > I would be very interested in a script/setup like this, so I second the=20 > suggestion of posting it somewhere. >=20 > On a minor off topic question, has anyone gotten the linux-pam/pam_tally = to=20 > work in 5.x? >=20 > Due to security requirements at work I need either that or something simi= lar. >=20 > At 05:28 PM 4/7/2005, Jon Adams wrote: >=20 >=20 > >Marian Hettwer wrote: > > > >>On Mi, 6.04.2005, 17:57, Willem Jan Withagen sagte: > >> > >> > >>>I've build some swatch-rules that after two of these hits, I dump > >>>the host into ifpw-deny space. > >>> > >>> > >>Aye. I thought about writing a script, doing the same like yours, too. > >>Could you post this script somewhere, so that I could add some > >>functionality or just use it ? > >> > >> > >This is similar to what I do... except > > > >I just run a cronjob every so often... daily.. weekly.. what have you..=20 > >that will restart ipfw... probably there is a cleaner solution, but it > >does the job for me.... as far as cleaning out the dozens of IPs that ge= t=20 > >blocked for connecting to ports they shouldnt on my boxes > > > >_______________________________________________ > >freebsd-security@freebsd.org mailing list > >http://lists.freebsd.org/mailman/listinfo/freebsd-security > >To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.o= rg" >=20 >=20 > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.or= g" >=20 Chris --=20 Computer games don't affect kids; I mean if Pac-Man affected us as kids, we'd all be running around in darkened rooms, swallowing magic pills and listening to repetitive electronic music. --=-dWoQSALcmsLjKeMDpr+u Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (GNU/Linux) iD8DBQBCVt3oWwvIQMvefh0RAu8YAJ9cN6nF1OWZRdoh581l8shTCazuwACfXe/Y pyxZ99/u4QlJoLZqTLqIC70= =4LIG -----END PGP SIGNATURE----- --=-dWoQSALcmsLjKeMDpr+u--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1112989160.4471.19.camel>