On Mon, Nov 24, 2025 at 03:29:20PM +0100, Jan Stary wrote: > > > I'm thinking of blocking bad IPs using PF tables persisted to a file. I > > > would like to use a cron job to periodically analyze access logs and > > > update the PF table. > > You might be better off leaving that to PF itself, > using max-src-conn and max-src-conn-rate and the like > on the connection level, as opposed to parsing at the protocol level.
Or do both. The rapid-fire password guessers are fairly easy to fend off with source tracking options, feeding directly into a table for special treatment (block drop or more imaginative solutions). For some ideas on various scenarios, https://nxdomain.no/~peter/hailmary_lessons_learned.html and linkst therein will provide some pointers. But anyway, any logs parsing is better done as a user with only enough privilege to read the files. Only feeding the result into the table needs extra privilege. -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team https://nxdomain.no/~peter/blogposts https://nostarch.com/book-of-pf-4th-edition "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
