Date: Fri, 5 Mar 2010 10:55:16 -0500 From: mikel king <mikel.king@olivent.com> To: John <john@starfire.mn.org> Cc: freebsd-questions@freebsd.org, Programmer In Training <pit@joseph-a-nagy-jr.us> Subject: Re: Thousands of ssh probes Message-ID: <627DE059-CCC7-47BC-9DC2-A8176F4913EA@olivent.com> In-Reply-To: <20100305154439.GA17456@elwood.starfire.mn.org> References: <20100305125446.GA14774@elwood.starfire.mn.org> <4B910139.1080908@joseph-a-nagy-jr.us> <20100305132604.GC14774@elwood.starfire.mn.org> <F4960422-5F59-4FF4-A2E4-1F0A4772B78B@olivent.com> <20100305154439.GA17456@elwood.starfire.mn.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mar 5, 2010, at 10:44 AM, John wrote: > On Fri, Mar 05, 2010 at 10:19:09AM -0500, mikel king wrote: >> >> On Mar 5, 2010, at 8:26 AM, John wrote: >> >> Way back about 10 years ago, I was playing around with IPFW a lot. I >> wrote a script to update IPFW from changes made to a MySql db. It was >> a just for fun project, that turned out to be rather useful I have >> some developers that I managed who like you were road warriors. They >> logged in to the https web page w/ their username and password which >> grabbed their IP address and stored it in a table on with their login >> id. >> >> The script called fud (for firewall update daemon) connected to the >> db >> and ran a query to check for any rule changes. If there were it would >> apply them to the rule set and clear the change flag. Using this >> combination I was able to allow ssh access only to the necessary ip >> addresses. >> >> I kind of scrapped it when VPNs became easier to deploy and I have no >> idea where this set of scripts are now, but it would be rather >> trivial >> to build a new version. >> >> If anyone thinks it's worth revisiting hit me off list. > > Maybe I'll have to learn how to do a VPN from FreeBSD.... > > One thought that occurs to me is that pf tables would provide a > direct API without having to hit a database. > > I think I really like this. I may have to implement it for pf. > It should be really easy with CGI and calls to pfctl. > -- There's probably a dozen ways to slice it now. I went with php, mysql and ipfw, just because that was the theme back then. I also found it handy to be able to login into the system and manually enter the ip addressing if necessary. I would definitely add some better logging than I did back then. Hmmm giving me an idea for another article on BSDNews.net... ;-) cheers, m!
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?627DE059-CCC7-47BC-9DC2-A8176F4913EA>