Sorry, I haven't tried it yet. I'll do it ASAP. On Tue, 15 Jan 2019 21:05:32 -0600 [email protected] wrote:
> On Sun, Jan 13, 2019 at 01:39:13PM -0600, [email protected] wrote: > > On Sun, Jan 13, 2019 at 08:04:32PM +0100, Radek wrote: > > > Hi, > > > > > > I would gladly play with your script. Would you please share it @misc. > > > Maybe our community could develope it further... > > Just curious if anyone has tried it out. I've been running it for about > 48 hours now and it doesn't appear to be having any issues. Plus my pf > table is growing. > > $ doas pfctl -t badguys -T show | wc -l > 697 > > I have it running on about 10 ports. Obviously the majority of the scans > are on 22, but I was surprised to see so many on 23. > > $ egrep "23$" /var/log/messages | wc -l > 247 > > Edgar > > > > > > > On Sun, 13 Jan 2019 12:43:15 -0600 > > > [email protected] wrote: > > > > > > > On Fri, Jan 11, 2019 at 09:30:38AM +1100, Aaron Mason wrote: > > > > > I knew it wouldn't trigger on the first attempt, but I had a sneaking > > > > > suspicion that you'd need something to listen on that port. Is there > > > > > a way to achieve what we seek, in that case, without userland tools? > > > > > > > > > > On Thu, Jan 10, 2019 at 9:18 PM Stuart Henderson > > > > > <[email protected]> wrote: > > > > > > > > > > > > On 2019-01-09, Aaron Mason <[email protected]> wrote: > > > > > > > Hi Jordan > > > > > > > > > > > > > > I've set it up to try it, but I'm not having much luck. Even > > > > > > > when I > > > > > > > trigger more than one, it still doesn't populate the bad_hosts > > > > > > > table, > > > > > > > even again when I extend the rate period to 86400 seconds. I've > > > > > > > added > > > > > > > logging so I know the rule is triggering. See below. > > > > > > > > > > > > max-src-conn-rate is only triggered when a TCP connection is > > > > > > established, you need to have something listening (and it will only > > > > > > trigger on the *second* connection). > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > Aaron Mason - Programmer, open source addict > > > > > I've taken my software vows - for beta or for worse > > > > > > > > > > > > > I wrote a little daemon to do what we're looking for. It listens on > > > > specified ports, accepts the connection and executes a script so you can > > > > either use something like logger or pfctl, etc to do what you want with > > > > the address it connected from. If anyone wants to play with it let me > > > > know and I'll send you the tarball. > > > > > > > > Edgar > > > > > > > > > > > > > -- > > > radek > > > > It can be obtained at http://www.pettijohn-web.com/void-1.0.0.tar.gz > > > > The manual isn't quite complete. The supplied script could really use > > some help as well as an rc script. The makefile is also cobbled > > together. It is pledged and unveiled. I think it can have a few of the > > pledges removed, but I haven't gotten that far. I think it is unveiled > > correctly, but this was my first time playing with it. > > > > The only requirement is libevent2 to aid in portability, which was the > > driving force behind executing a script so that it could tie into > > whatever packet filter is in use. Any constructive suggestions and > > patches are more than welcome. > > > > Enjoy. > > > > Edgar > > -- radek
