From owner-freebsd-stable@FreeBSD.ORG Thu Aug 21 20:42:54 2008 Return-Path: Delivered-To: freebsd-stable@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7101E1065671; Thu, 21 Aug 2008 20:42:54 +0000 (UTC) (envelope-from imb@protected-networks.net) Received: from sarah.protected-networks.net (sarah.protected-networks.net [IPv6:2001:470:1f07:4e1::1]) by mx1.freebsd.org (Postfix) with ESMTP id 302A08FC14; Thu, 21 Aug 2008 20:42:54 +0000 (UTC) (envelope-from imb@protected-networks.net) Received: from [127.0.0.1] (localhost [IPv6:::1]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) (Authenticated sender: imb) by sarah.protected-networks.net (Postfix) with ESMTPSA id BE34360E6; Thu, 21 Aug 2008 16:42:52 -0400 (EDT) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=protected-networks.net; s=200705; t=1219351372; bh=KK+AEJnLLE33So DuAFoZRMzki8FZD0G1VmIC0D446oQ=; h=Message-ID:Date:From:MIME-Version: To:CC:Subject:References:In-Reply-To:Content-Type: Content-Transfer-Encoding; b=BloMN3c0iSvGZGYIiUDkzNFlOdFLgbQ3be08c gKftgzv1kj3heN0GNw349ZhOgsJJU2kwsA5DaS+RExKss9PWpIRbsJNbheCfaDRgiBJ +RVl1Y/j6SjYx74cBPeeZ3Dl DomainKey-Signature: a=rsa-sha1; s=200509; d=protected-networks.net; c=nofws; q=dns; h=message-id:date:from:user-agent:mime-version:to:cc:subject: references:in-reply-to:content-type:content-transfer-encoding; b=d0N4S8yomGDcQ1T+g9LqIkleRT0oCpa3uxTLD3V41lIb1XBMELRWNCFwbfyLJtDnf 7EVTvBDgsxfCKextW0U/idxsfayTFayyYtYCIZY8E+FNyuFhXWfWqliS1s9D2iY Message-ID: <48ADD33A.9030907@protected-networks.net> Date: Thu, 21 Aug 2008 16:42:34 -0400 From: Michael Butler User-Agent: Thunderbird 2.0.0.16 (Windows/20080708) MIME-Version: 1.0 To: freebsd-stable@FreeBSD.org References: <48ADA81E.7090106@aldan.algebra.com> <48ADCDAD.80507@gmail.com> In-Reply-To: <48ADCDAD.80507@gmail.com> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: freebsd-security@freebsd.org Subject: Re: machine hangs on occasion - correlated with ssh break-in attempts X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 Aug 2008 20:42:54 -0000 I do something related to this with fwlogwatch although it can probably be adapted to any similar tool; when I hit the 'block' threshold, I execute something like: #!/bin/sh HR=`date "+%-k"` /sbin/ipfw table 0 add $3 ${HR} .. so each entry has a tag indicating the hour at which the block was initiated. At 5 to the hour, I run a simple cron job which does this to clean out everything older than 24 hours .. #!/bin/sh HR=`date -v+1H "+%-k"` /sbin/ipfw table 0 list >/tmp/xx.$$ cat /tmp/xx.$$ | while read LINE do set $LINE case "$2" in ${HR}) /sbin/ipfw table 0 delete $1 echo -n `date +"%H:%M:%S"` >>/var/log/fwlw_clean_log echo " fwlw_clean: removed $1 from table 0" >>/var/log/fwlw_clean_log esac done rm /tmp/xx.$$ I also have a script in /usr/local/etc/rc.d which saves the current state in the event of an orderly shutdown and restores it on boot: #!/bin/sh case "$1" in start) cat /var/db/ipfw/cache0 | while read LINE do set $LINE /sbin/ipfw table 0 add $1 $2 done ;; stop) /sbin/ipfw table 0 list >/var/db/ipfw/cache0 ;; restart) $0 $DEBUG stop $0 $DEBUG start exit $? ;; *) echo "Usage: $0 {start|stop|restart}" exit 1 ;; esac exit 0 Of course, this only works for ipv4 because of the restriction on the ipfw table data but it's just an example, Michael