--On Wednesday, October 13, 2004 10:04:24 AM -0400 "Brian J. McGovern" <[EMAIL PROTECTED]> wrote:

Rather than having to hang over my machine is there any software out there that will monitor logs (e.g. /var/log/messages), parse out failed logins like this, and run an ipfw command to block it? Perhaps something can be done via PAM?

Yes. Look at the Sentry Tools project at Sourceforge. (<http://sourceforge.net/projects/sentrytools/>) In particular, portsentry will do exactly what you want. It will throw up a temporary rule in ipfw blocking the host. (I say temporary because when you restart ipfw it will go away.) It will also add the host to your /etc/hosts.allow file, blocking it permanently from accessing privileged services.

        An added extra bonus would be if it would unblock after some period
of time, in case a legit. user bungles their password, and can't get in
(saves the service call).

It won't do that, but you can just run ipfw show and then delete the rule. Then you can add that host to the portsentry.ignore file, and it will never happen again. (Or you can do it proactively if you know the hosts or networks your users will be coming from.)

I've been using it for years. Works very well, but be careful. On a large server with lots of activity, you probably want to start by not blocking anything until you're comfortable with your ignore file.

I also use logsentry on a number of hosts. Very nice program. Both are well written and quite mature.

Paul Schmehl ([EMAIL PROTECTED])
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
[EMAIL PROTECTED] mailing list
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to