I think it is bad practice to use something that's not even in the base, when you have the feature in pf readily available.
pass in on vr0 inet proto tcp from any to (vr0) port ssh keep state \ (max-src-conn-rate 1/60, overload <badhosts> flush global) On Wed, 19 Oct 2011 10:04:09 +0400 "Wesley M." <[email protected]> wrote: > I added this : > > in pf.conf > ... > table <black> persist file "/etc/black" > ... > block quick from <black> > ... > > Added to crontab > pfctl -t black -T add $(cat /var/log/alert | awk '{print $6}') > > What do you think about that ? > Perhaps, you have easiest way to do it ? > Now i'm looking for a small web monitor to view alerts provided by > scanlogd. Any idea ? > > cheers, > > Wesley. > > > On Wed, 19 Oct 2011 09:31:35 +0400, "Wesley M." > <[email protected]> wrote: > > Hi, > > > > I use OpenBSD 4.9, i'm looking for a good nids. > > > > I found > > "scanlogd" in ports, works very well. > > > > But is there a way to work this > > last one with pf ? For example add the ip-address detected by > > scanlogd > to a > > "Blacklist" table ? > > > > Also, is there a way to have a web monitor to view > > alert? > > > > Perhaps, you use something else ... what ? ;-) snort ? > > > > Thank you > > very much ! > > > > All the best, > > > > Wesley.
