Date: Wed, 13 Oct 2004 11:15:15 -0500 From: Paul Schmehl <pauls@utdallas.edu> To: "Brian J. McGovern" <bmcgover@cisco.com>, questions@freebsd.org Subject: Re: Automatic Firewall software? Message-ID: <4ACDF26414DB010421A6AD6C@utd49554.utdallas.edu> In-Reply-To: <200410131404.i9DE4ONU047345@bmcgover-pc.cisco.com> References: <200410131404.i9DE4ONU047345@bmcgover-pc.cisco.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--On Wednesday, October 13, 2004 10:04:24 AM -0400 "Brian J. McGovern" <bmcgover@cisco.com> wrote: > > Rather than having to hang over my machine is there any software out > there that will monitor logs (e.g. /var/log/messages), parse out failed > logins like this, and run an ipfw command to block it? Perhaps something > can be done via PAM? > Yes. Look at the Sentry Tools project at Sourceforge. (<http://sourceforge.net/projects/sentrytools/>) In particular, portsentry will do exactly what you want. It will throw up a temporary rule in ipfw blocking the host. (I say temporary because when you restart ipfw it will go away.) It will also add the host to your /etc/hosts.allow file, blocking it permanently from accessing privileged services. > An added extra bonus would be if it would unblock after some period > of time, in case a legit. user bungles their password, and can't get in > (saves the service call). > It won't do that, but you can just run ipfw show and then delete the rule. Then you can add that host to the portsentry.ignore file, and it will never happen again. (Or you can do it proactively if you know the hosts or networks your users will be coming from.) I've been using it for years. Works very well, but be careful. On a large server with lots of activity, you probably want to start by not blocking anything until you're comfortable with your ignore file. I also use logsentry on a number of hosts. Very nice program. Both are well written and quite mature. Paul Schmehl (pauls@utdallas.edu) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4ACDF26414DB010421A6AD6C>