On Sun, Jan 13, 2019 at 01:39:13PM -0600, ed...@pettijohn-web.com wrote:
> On Sun, Jan 13, 2019 at 08:04:32PM +0100, Radek wrote:
> > Hi,
> >
> > I would gladly play with your script. Would you please share it @misc.
> > Maybe our community could develope it further...
Just curious if anyone has tried it out. I've been running it for about
48 hours now and it doesn't appear to be having any issues. Plus my pf
table is growing.
$ doas pfctl -t badguys -T show | wc -l
697
I have it running on about 10 ports. Obviously the majority of the scans
are on 22, but I was surprised to see so many on 23.
$ egrep "23$" /var/log/messages | wc -l
247
Edgar
> >
> > On Sun, 13 Jan 2019 12:43:15 -0600
> > ed...@pettijohn-web.com wrote:
> >
> > > On Fri, Jan 11, 2019 at 09:30:38AM +1100, Aaron Mason wrote:
> > > > I knew it wouldn't trigger on the first attempt, but I had a sneaking
> > > > suspicion that you'd need something to listen on that port. Is there
> > > > a way to achieve what we seek, in that case, without userland tools?
> > > >
> > > > On Thu, Jan 10, 2019 at 9:18 PM Stuart Henderson <s...@spacehopper.org>
> > > > wrote:
> > > > >
> > > > > On 2019-01-09, Aaron Mason <simplersolut...@gmail.com> wrote:
> > > > > > Hi Jordan
> > > > > >
> > > > > > I've set it up to try it, but I'm not having much luck. Even when I
> > > > > > trigger more than one, it still doesn't populate the bad_hosts
> > > > > > table,
> > > > > > even again when I extend the rate period to 86400 seconds. I've
> > > > > > added
> > > > > > logging so I know the rule is triggering. See below.
> > > > >
> > > > > max-src-conn-rate is only triggered when a TCP connection is
> > > > > established, you need to have something listening (and it will only
> > > > > trigger on the *second* connection).
> > > > >
> > > > >
> > > >
> > > >
> > > > --
> > > > Aaron Mason - Programmer, open source addict
> > > > I've taken my software vows - for beta or for worse
> > > >
> > >
> > > I wrote a little daemon to do what we're looking for. It listens on
> > > specified ports, accepts the connection and executes a script so you can
> > > either use something like logger or pfctl, etc to do what you want with
> > > the address it connected from. If anyone wants to play with it let me
> > > know and I'll send you the tarball.
> > >
> > > Edgar
> > >
> >
> >
> > --
> > radek
>
> It can be obtained at http://www.pettijohn-web.com/void-1.0.0.tar.gz
>
> The manual isn't quite complete. The supplied script could really use
> some help as well as an rc script. The makefile is also cobbled
> together. It is pledged and unveiled. I think it can have a few of the
> pledges removed, but I haven't gotten that far. I think it is unveiled
> correctly, but this was my first time playing with it.
>
> The only requirement is libevent2 to aid in portability, which was the
> driving force behind executing a script so that it could tie into
> whatever packet filter is in use. Any constructive suggestions and
> patches are more than welcome.
>
> Enjoy.
>
> Edgar
>
