Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 25 Jan 2006 01:41:02 +0100
From:      "Ilias Sachpazidis" <isachpaz@igd.fhg.de>
To:        "'Daniel Gerzo'" <danger@rulez.sk>
Cc:        questions@freebsd.org
Subject:   RE: auth.log & intruder prevention
Message-ID:  <002201c62148$0565fe10$050a0a0a@hermes>
In-Reply-To: <20060124235744.GA99424@daemon.rulez.sk>
next in thread | previous in thread | raw e-mail | index | archive | help 
Thanks Daniel,

I was about to develop a perl script.
It, however, seems that bruteforceblocker does what I was looking for.

Thanks again,

Ilias


-----Original Message-----
From: Daniel Gerzo [mailto:danger@rulez.sk] 
Sent: Mittwoch, 25. Januar 2006 00:58
To: Ilias.Sachpazidis@igd.fraunhofer.de
Cc: questions@freebsd.org
Subject: Re: auth.log & intruder prevention

On Tue, Jan 24, 2006 at 10:02:26PM +0100, Ilias Sachpazidis wrote:
> Hi Everyone,

hello,
   
> 
> In auth.log of my FreeBSD boxes I got many requests to port 22, as you can
> see below.
> ----begin of snippet
> Jan 22 11:21:50 zeus sshd[92900]: Failed password for illegal user
cracking
> from 65.208.188.105 port 58344 ssh2
> Jan 22 11:21:53 zeus sshd[92902]: Failed password for illegal user hacking
> from 65.208.188.105 port 58443 ssh2
> ----end of snippet
> 
> I am wondering if any script is available to prevent hundreds of attempts
on
> port 22 from external IPs that constantly checking user & passwords on my
> FreeBSD PCs.
> 
> What I am looking for is a deamon application/script that receives the
> recorded data from auth.log and detects if any remote client (IP address)
is
> checking user and passwords (Detection pattern: 5 missing attempts in 1
> min). On a successful detection, the script should add an ipfw rule
> rejecting further IP packets from the specific remote address.
> 
> Is any script or something similar available so far? 

I've written a BruteForceBlocer, you can install it from ports as well,
check security/bruteforceblocker.

Hope you will like it.

-- 
Sincerely,
   Daniel Gerzo

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?002201c62148$0565fe10$050a0a0a>