Hi, I would gladly play with your script. Would you please share it @misc. Maybe our community could develope it further...
On Sun, 13 Jan 2019 12:43:15 -0600 ed...@pettijohn-web.com wrote: > On Fri, Jan 11, 2019 at 09:30:38AM +1100, Aaron Mason wrote: > > I knew it wouldn't trigger on the first attempt, but I had a sneaking > > suspicion that you'd need something to listen on that port. Is there > > a way to achieve what we seek, in that case, without userland tools? > > > > On Thu, Jan 10, 2019 at 9:18 PM Stuart Henderson <s...@spacehopper.org> > > wrote: > > > > > > On 2019-01-09, Aaron Mason <simplersolut...@gmail.com> wrote: > > > > Hi Jordan > > > > > > > > I've set it up to try it, but I'm not having much luck. Even when I > > > > trigger more than one, it still doesn't populate the bad_hosts table, > > > > even again when I extend the rate period to 86400 seconds. I've added > > > > logging so I know the rule is triggering. See below. > > > > > > max-src-conn-rate is only triggered when a TCP connection is > > > established, you need to have something listening (and it will only > > > trigger on the *second* connection). > > > > > > > > > > > > -- > > Aaron Mason - Programmer, open source addict > > I've taken my software vows - for beta or for worse > > > > I wrote a little daemon to do what we're looking for. It listens on > specified ports, accepts the connection and executes a script so you can > either use something like logger or pfctl, etc to do what you want with > the address it connected from. If anyone wants to play with it let me > know and I'll send you the tarball. > > Edgar > -- radek
