Date: Mon, 22 Sep 2008 13:21:56 -0400 From: Greg Larkin <glarkin@FreeBSD.org> To: David Allen <the.real.david.allen@gmail.com> Cc: freebsd-questions@freebsd.org Subject: Re: Dealing with portscans Message-ID: <48D7D434.6080702@FreeBSD.org> In-Reply-To: <2daa8b4e0809220817v10c4a657l6ee76f853a62b246@mail.gmail.com> References: <2daa8b4e0809220817v10c4a657l6ee76f853a62b246@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 David Allen wrote: > Over the last few weeks I've been getting numerous ports scans, each from > unique hosts. The situation is more of an annoyance than anything else, > but I would prefer not seeing or having to deal with an extra 20-30K > entries in my logs as was the case recently. > > I use pf for firewalling, and while it does offer different methods > (max-src-conn, max-src-conn-rate, etc.) for dealing with abusive hosts, it > doesn't seem to offer much in the way of dealing with repeated blocked > (non-stateful) connection attempts from a given host. > > Short of running something like snort, is there a suitable tool for > dealing with this? If not, I'll probably resort to running a cronjob to > parse the logfile and add the offending hosts manually. Hi David, You might want to try security/portsentry from the ports tree. It's a bit dated, and it has no maintainer at the moment, but a cursory glance at it tells me it might work for you. It supports pf for blocking connections once your trigger conditions are met. Hope that helps, Greg - -- Greg Larkin http://www.FreeBSD.org/ - The Power To Serve http://www.sourcehosting.net/ - Ready. Set. Code. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFI19Q00sRouByUApARAskrAJ9kY4inBSR/VmYvXHgV1iw0mfc6HwCglxsE FNlFennVqnulX2EB5PzSw4s= =O6FF -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?48D7D434.6080702>