Matthias Kilian wrote:
On Wed, May 31, 2006 at 03:15:34PM -0400, Peter Fraser wrote:
Expect I was not clear.
Someone is attacking address 1, address 2, address 3, those
address are all blocked with respect to ssh. , but because he
is attacking those addresses, I want to stop an expected attack
on address 4. I never want to pass ssh on address 1, address 2
or address 3 ever, I want to use the information that someone
was trying to ssh to those address to identify person as
an attacker.
Oh, sorry for not reading exactly.
So your problem is that you want to get state for ssh connection
attempts to addresses 1, 2 and 3 but at the same time want to block
those connections. This isn't possible (no connection - no state).
(QUICK HACK ALERT)
But it may be possible to redirect those connections to some unused
port on localhost (i.e. the firewall) let something listen on this
port, accept everything but immediately closing the connection.
Then use a simple pass rule with overload and max-src-conn options
to add offending addresses to your table.
Ciao,
Kili
ps: I didn't test the above, so if it's complete nonsense, feel
free to flame me.
I've done this and it works quite well. Source is as follows. My first
attempt at POSIX network programming so feel free to correct/shoot me.
--
#include <string.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
int main() {
int s;
struct sockaddr_in sa;
s = socket(AF_INET, SOCK_STREAM, 0);
bzero(&sa, sizeof(struct sockaddr_in));
sa.sin_family = AF_INET;
sa.sin_port = htons(2048);
if (bind(s, (struct sockaddr*)&sa, sizeof(struct sockaddr)) !=
0 || listen(s, 64) != 0 || daemon(0, 0) != 0) {
exit(1);
}
int c;
struct sockaddr_in ca;
int csize;
while (1) {
bzero(&ca, sizeof(struct sockaddr_in));
csize = sizeof(struct sockaddr_in);
c = accept(s, (struct sockaddr*)&ca, &csize);
if (c <= 0) {
sleep(1);
} else {
close(c);
}
}
return 0;
}
--
Jason Stubbs
