auto-blackholing/blacklisting on multiple hacking attempts

Sun, 25 May 2008 18:46:37 -0700 

Hi,

I'm running freebsd 7-RELEASE

I see this, for example, in my auth log:

May 15 02:00:39 www sshd[9180]: Invalid user web from 201.18.232.30
May 15 02:00:41 www sshd[9182]: Invalid user web from 201.18.232.30
May 15 02:00:43 www sshd[9184]: Invalid user web from 201.18.232.30
May 15 02:00:45 www sshd[9186]: Invalid user web from 201.18.232.30
May 15 02:00:48 www sshd[9188]: Invalid user web from 201.18.232.30
May 15 02:00:50 www sshd[9190]: Invalid user web from 201.18.232.30
May 15 02:00:52 www sshd[9192]: Invalid user web from 201.18.232.30
May 15 02:00:54 www sshd[9194]: Invalid user web from 201.18.232.30
May 15 02:00:56 www sshd[9196]: Invalid user web from 201.18.232.30
May 15 02:00:58 www sshd[9198]: Invalid user web from 201.18.232.30
May 15 02:01:00 www sshd[9200]: Invalid user web from 201.18.232.30
May 15 02:01:02 www sshd[9205]: Invalid user web from 201.18.232.30
May 15 02:01:04 www sshd[9207]: Invalid user account from 201.18.232.30
May 15 02:01:06 www sshd[9209]: Invalid user account from 201.18.232.30
May 15 02:01:08 www sshd[9211]: Invalid user account from 201.18.232.30
May 15 02:01:10 www sshd[9213]: Invalid user account from 201.18.232.30
May 15 02:01:12 www sshd[9218]: Invalid user account from 201.18.232.30
May 15 02:01:14 www sshd[9220]: Invalid user account from 201.18.232.30
May 15 02:01:39 www sshd[9244]: Invalid user apache from 201.18.232.30
May 15 02:01:41 www sshd[9246]: Invalid user apache from 201.18.232.30
May 15 02:01:43 www sshd[9248]: Invalid user apache from 201.18.232.30
May 15 02:01:45 www sshd[9250]: Invalid user apache from 201.18.232.30
May 15 02:01:47 www sshd[9252]: Invalid user apache from 201.18.232.30

I'd like it to be so that if an IP tries to connect to sshd more than
once in a 30 second period, that they are immediately blackholed.
Should I be using pf for this or would it be done better in some other
utility?

cheers

-- 
John
_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to