Carl Makin said the following on 02/16/06 20:07:
Atanas wrote:
Does anybody know whether ipfw (or something else within FreeBSD-4) is
capable of setting connection rate limits?
I'm using SEC to monitor the auth.log file and block any IP addresses
that fail a password 3 times within 60 seconds. I use the following
sec.conf file;
Yeah, it does pretty much the same thing I do with a simple script like:
#!/usr/bin/perl
use strict;
my $MAX_TRIES = 5;
my $RULE_BASE = 10100;
my $RULES_MAX = 10;
my $Rule = $RULE_BASE;
my %Match;
sub ip_block # ($ip, $port)
{ my ($ip, $port) = @_;
`ipfw delete $Rule` if `ipfw list $Rule 2>/dev/null`;
`ipfw add $Rule deny tcp from $ip to any $port in setup`;
$Rule = $RULE_BASE + (++$Rule - $RULE_BASE) % $RULES_MAX;
}
open LOG, "tail -f /var/log/auth.log |";
while (<LOG>) {
if( /sshd\[\d+\]/ ) {
if( /((Illegal user|Failed password for) \S+|Did not receive
identification string) from (\d+\.\d+\.\d+\.\d+)/ ) {
my $ip = $3;
next if $Match{$ip}++ < $MAX_TRIES;
ip_block($ip,22);
undef $Match{$ip};
}
}
}
close F;
And a cron job removes the blocks every hour:
7 * * * * /sbin/ipfw delete 10100 10101 10102 10103 10104 10105 10106
10107 10108 10109
It does the job, but it would be nice for sshd to have some rate-limit
protection built-in. Otherwise, with the increasing number of attacks
nowadays, many people would need similar protection.
Regards,
Atanas
_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
