On Fri, Jan 11, 2019 at 09:30:38AM +1100, Aaron Mason wrote: > I knew it wouldn't trigger on the first attempt, but I had a sneaking > suspicion that you'd need something to listen on that port. Is there > a way to achieve what we seek, in that case, without userland tools? > > On Thu, Jan 10, 2019 at 9:18 PM Stuart Henderson <[email protected]> wrote: > > > > On 2019-01-09, Aaron Mason <[email protected]> wrote: > > > Hi Jordan > > > > > > I've set it up to try it, but I'm not having much luck. Even when I > > > trigger more than one, it still doesn't populate the bad_hosts table, > > > even again when I extend the rate period to 86400 seconds. I've added > > > logging so I know the rule is triggering. See below. > > > > max-src-conn-rate is only triggered when a TCP connection is > > established, you need to have something listening (and it will only > > trigger on the *second* connection). > > > > > > > -- > Aaron Mason - Programmer, open source addict > I've taken my software vows - for beta or for worse >
I wrote a little daemon to do what we're looking for. It listens on specified ports, accepts the connection and executes a script so you can either use something like logger or pfctl, etc to do what you want with the address it connected from. If anyone wants to play with it let me know and I'll send you the tarball. Edgar
