Quoth W. D. Sadeep <[email protected]>:
> Hello,
>
> I'm thinking of blocking bad IPs using PF tables persisted to a file. I
> would like to use a cron job to periodically analyze access logs and
> update the PF table. I'd like some advice on how best to set it up:
>
> 1. Keep the file in /etc/ (e.g., /etc/pf.badbots), set restrictive
> permissions (chmod 0600), and run the script under root's crontab.
> 2. Keep the file in a dedicated cron job user's directory, allow that
> user to modify the file via the cron job, and use it in pf.conf.
>
> I'm inclined to go with #1. Is that okay? Thanks in advance!
>
> --
> Sadeep
> PGP: 103BF9E3E750BF7E
>
Personally, I don't think it's a good idea to parse access logs for
generating pf rules because if your script not properly secured, the
attacker can manipulate your firewall and make things worse; that's
assuming you're not restricting the script to only write a list of IP
addresses to a file that pf would then load as a table later. That
can potentially be gamed too to allow the attacker to make your pf
block the wrong people if your parser is not tight enough.
I recommend using something like this instead:
block quick from <bad_hosts>
pass in on $ext_if proto tcp to $webserver port www keep state \
(max-src-conn-rate 100/10, overload <bad_hosts> flush global)
>From pf.conf(5) "Stateful Tracking Options" and explained in FQA too:
https://www.openbsd.org/faq/pf/filter.html . you can tweak it to your
liking. checkout all the options in pf.conf(5)
If you still want to parse logs, definitely use an established tool or
only parse as an unprivilged user as the others advised.
--
noodle
