On Thursday 18 September 2008 01:15:45 Marc G. Fournier wrote:
> Does anyone know of a utility that I can use with sshd to auto-block by IP
> if there are more then N failed attempts in a row?
# crontab -l
@reboot /usr/sbin/daemon -p /var/run/grok-ssh.pid /usr/local/bin/grok -f
/etc/pf/grok-ssh.conf
# grep -- -0F /usr/local/bin/grok
my $TAIL = "/usr/bin/tail -0F";
^^^^ so that newsyslog doesn't interfere.
$ cat /etc/pf/grok-ssh.conf
file "/var/log/auth.log" {
type "ssh-illegal-user" {
match = "Invalid user %USERNAME% from %IP%";
threshold = 5; # 5 hits ...
key = "%IP%"; # from a single ip ...
interval = 60; # in 1 minutes
reaction = "/root/bin/pfscanners %IP%"; # permanent
};
type "ssh-scan-possible" {
match = "Did not receive identification string from %IP%";
threshold = 3;
interval = 60;
reaction = "/sbin/pfctl -t scanners -Tadd %IP%"; #temporary
};
};
$ cat /root/bin/pfscanners
#!/bin/sh
while( test ! -z "$1" ); do
/sbin/pfctl -t scanners -Tadd $1
echo $1 >> /etc/pf/scanners.table
shift
done
$ grep scanners /etc/pf.conf
table <scanners> persist file "/etc/pf/scanners.table"
block in log on $ext_if from <scanners>
--
Mel
Problem with today's modular software: they start with the modules
and never get to the software part.
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
