Hello,
I'm trying to prevent people from hammering my FTP servers with stupid
login attempts, and devised the following 'sec' rule file:
--------------------------------------
type=SingleWithThreshold
ptype=RegExp
continue=TakeNext
pattern=pure-ftpd\[[0-9]+\]: \(\?\@([0-9\.]+)\) \[WARNING\]
Authentication failed for user
desc=FTP attack from $1
window=900
thresh=5
action=logonly \
shellcommand block-ip $1 ; reset 0
--------------------------------------
The script 'block-ip' takes a command line argument of an IP number and
adds that to a pf table to block further connections from that IP.
The 'reset 0' is only intended as a cheap workaround until I figure out
how to work with contexts (one per source IP, right?).
Running 'sec' with this configuration, I see messages from sec like eg.
Mon Mar 1 13:56:02 2010: shellcommand block-ip 60.28.43.233
but in reality, it doesn't execute the script, as proven by the atime
of the script that does not change.
It would be nice if someone could shed some light onto this - I assume
that the problem lies somewhere in the shell_cmd() function of 'sec',
with the fork in there silently failing somehow, but didn't dig very
deep yet.
This is sec 2.5.3 on OpenBSD 4.6/i386. 'sec' happens to be a single
Perl script.
TIA!
Kind regards,
--Toni++
