Re: pf and hosts.deny
On Sat, Apr 19, 2008 at 10:02 AM, Vikas N Kumar < [EMAIL PROTECTED]> wrote: > Any help will be appreciated. > Thanks for all the help provided. Regards Vikas
Re: pf and hosts.deny
Ok. I'm slow enough writing that others have started to answer also... Vikas N Kumar wrote: > ... I have set maximum number > of tries to just 2, I would like to be able to note down the IP address > (after say 10 unsuccessful login attempts) from where the attacks are coming > in and then dynamically add them to hosts.deny for the next few days or > permanently... Working with hosts.deny is not a pf feature, but it might be glued together. Curt Micol wrote: > I think this is what you want: > http://home.nuug.no/~peter/pf/en/bruteforce.html As Curt just answered, PF tables are an option. See also http://www.openbsd.org/cgi-bin/man.cgi?query=pf.conf I am getting good mileage out of "The Book of PF", and tables are covered there pp 67-71 and pp 31-32. Maybe using PF's tables is enough for you. There are at least four pieces that might be useful if you really want a script to add to hosts.deny. 1) pf.conf 2) pfctl 3) sshd_config 4) /var/log/authlog Henri Salo wrote: > There was a topic in a misc 2008-04-16 with subject "PF ssh bruteforce > logging and blocking". You should read it. Basically, you can have the blocked addresses exported from the PF table. From there they can be imported via a script into hosts.deny or anywhere else you might want. The tool for that is pfctl with the "-t" and "-T show" options: http://www.openbsd.org/cgi-bin/man.cgi?query=pfctl However, PF only logs the connections attempts. The sshd_config keyword "MaxAuthTries" will specifically log failed attempts to log in, per connection, if they exceed 1/2 the maximum number of tries for that connection. http://www.openbsd.org/cgi-bin/man.cgi?query=sshd_config However, if each attempt is on a new connection, then that's not necessarily a help for you. The failed attempts will also show up in /var/log/authlog, regardless. e.g.Apr 16 17:13:27 +gateway sshd[12708]: Failed password for root from 218.106.52.91 port 58224 ssh2 And that can be parsed for addresses. Regards, -Lars
Re: pf and hosts.deny
On Sat, 19 Apr 2008 10:02:50 -0400 "Vikas N Kumar" <[EMAIL PROTECTED]> wrote: > Hi > > I have OpenBSD 4.2 on a Pentium II laptop running fine, with its ssh > port 22 open to the web. However, there are a lot of attacks on that > port from various IP addresses across the globe. Even though I have > set maximum number of tries to just 2, I would like to be able to > note down the IP address (after say 10 unsuccessful login attempts) > from where the attacks are coming in and then dynamically add them to > hosts.deny for the next few days or permanently. > > Can pf do this ? I read the manual but could not find such a feature. > > I can always write a cron script that reads the messages log file and > does this sort of thing, but I was hoping that if such a feature > pre-exists I wouldn't have to do it. > > Any help will be appreciated. > > Thanks & Regards > Vikas There was a topic in a misc 2008-04-16 with subject "PF ssh bruteforce logging and blocking". You should read it. -- Henri Salo +358407705733 GPG ID: 2EA46E4F fp: 14D0 7803 BFF6 EFA0 9998 8C4B 5DFE A106 2EA4 6E4F
Re: pf and hosts.deny
On Sat, Apr 19, 2008 at 10:02 AM, Vikas N Kumar <[EMAIL PROTECTED]> wrote: > Can pf do this ? I read the manual but could not find such a feature. I think this is what you want: http://home.nuug.no/~peter/pf/en/bruteforce.html -- # Curt Micol
pf and hosts.deny
Hi I have OpenBSD 4.2 on a Pentium II laptop running fine, with its ssh port 22 open to the web. However, there are a lot of attacks on that port from various IP addresses across the globe. Even though I have set maximum number of tries to just 2, I would like to be able to note down the IP address (after say 10 unsuccessful login attempts) from where the attacks are coming in and then dynamically add them to hosts.deny for the next few days or permanently. Can pf do this ? I read the manual but could not find such a feature. I can always write a cron script that reads the messages log file and does this sort of thing, but I was hoping that if such a feature pre-exists I wouldn't have to do it. Any help will be appreciated. Thanks & Regards Vikas