2008/9/17 Mel <[EMAIL PROTECTED]>:
> On Thursday 18 September 2008 01:15:45 Marc G. Fournier wrote:
>> Does anyone know of a utility that I can use with sshd to auto-block by IP
>> if there are more then N failed attempts in a row?
>
> # crontab -l
> @reboot /usr/sbin/daemon -p /var/run/grok-ssh.pid /usr/local/bin/grok -f 
> /etc/pf/grok-ssh.conf
>
> # grep -- -0F /usr/local/bin/grok
> my $TAIL = "/usr/bin/tail -0F";
>
> ^^^^ so that newsyslog doesn't interfere.
>
> $ cat /etc/pf/grok-ssh.conf
> file "/var/log/auth.log" {
>        type "ssh-illegal-user" {
>                match = "Invalid user %USERNAME% from %IP%";
>                threshold = 5;   # 5 hits ...
>                key = "%IP%";    # from a single ip ...
>                interval = 60;   # in 1 minutes
>                reaction = "/root/bin/pfscanners %IP%"; # permanent
>        };
>
>        type "ssh-scan-possible" {
>                match = "Did not receive identification string from %IP%";
>                threshold = 3;
>                interval = 60;
>                reaction = "/sbin/pfctl -t scanners -Tadd %IP%"; #temporary
>        };
> };
>
> $ cat /root/bin/pfscanners
> #!/bin/sh
>
> while( test ! -z "$1" ); do
>        /sbin/pfctl -t scanners -Tadd $1
>        echo $1 >> /etc/pf/scanners.table
>        shift
> done
>
> $ grep scanners /etc/pf.conf
> table <scanners> persist file "/etc/pf/scanners.table"
> block in log on $ext_if from <scanners>
>
> --
> Mel
>
> Problem with today's modular software: they start with the modules
>    and never get to the software part.
> _______________________________________________
> freebsd-questions@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "[EMAIL PROTECTED]"
>

Cool utilities..:)

Also you may consider if you want to watch another logs and alert you
about that...you should try sec.pl....its in the ports...
Very configurable and helps you with all your logs you want....
>From there you could add it to the hosts.allow or you could lunch a
script or a FW rule...

Cheers,
Agustin
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to