Date: Tue, 22 Dec 2009 09:53:07 +0545 From: Gaurav Ghimire <gaurav@subisu.net.np> To: Kevin <k@kevinkevin.com> Cc: freebsd-pf@freebsd.org Subject: Re: External scripts with PF. Message-ID: <4B304627.5020209@subisu.net.np> In-Reply-To: <03bd01ca8255$83b5a0f0$8b20e2d0$@com> References: <4B2F0E9D.7020603@subisu.net.np> <7731938b0912210709l2dfbea79u4aa7c245e82bd203@mail.gmail.com> <03bd01ca8255$83b5a0f0$8b20e2d0$@com>
next in thread | previous in thread | raw e-mail | index | archive | help
Kevin wrote: >> For tracking source IPs and adding them to a table, you can already do >> this, c.f. max-src-conn and overload in the pf.conf man page. >> >> >> If you use the overload keyword to dump the bad IPs into a table then >> as a quick and dirty solution for scripting you can the run a script >> from cron every few minutes to do something like: >> >> pfctl -t table_name_with_bad_ips -T show >> >> > > > To continue on Peter's idea , here's a script I wrote to parse pf tables and > send email alerts based on the output. You can run it as a regular cronjob : > > http://blog.stardothosting.com/2009/08/12/freebsd-pf-packet-filter-shell-scr > ipt-to-report-on-hacking-attempts/ > > > > it not up-to-the-minute, but it works pretty good as a daily mail alert. > > > > > Hi kevin and all, Thanks for your replies. Yes regarding reporting the bad IPs I have already done something like your script here http://nixify.blogspot.com/2009/10/getting-reports-on-intrusion-attempts.html . But this time what I wanted was like at times a few of clients from my own network fall in the abusive_ips table I have built to stop any such malicious floods emerging from my network be it because of worms or malwares. I have a pf table that overloads itself when a threshold is crossed as referred by Peter. I was thinking if I could trigger an external script for each time the table is loaded with a IP say I have a rule something like, block in log quick on $ext_if proto tcp from <abusive_ips> to any block in log quick on $ext_if proto udp from <abusive_ips> to any pass in quick on $ext_if proto tcp from any to <servers_mail> port $mail_ports keep state (max-src-conn 15, max-src-conn-rate 5/5, overload <abusive_ips> flush) This would block any smtp flooding attempts from any IPs . But I was thinking if I could be informed via an email alert that a new IP has been added to the table abusive_ips. It seems this would have been possible if there was a possibility that I could trigger an external script on the rule 3rd rule I have. And the external script would just do pfctl -t abusive_ips -T show and mail it to me, or I could just have some more intelligence there and save a record of the previous show output and mail the diffs that way I could get the new IPs that have been added to the table. And inform them clients that they have something fishy going at there end that is bombing my mail servers. That way I would not need to make it a regular cron job and would have the advantage of running it only when a new IP is added to the table. Was just thinking if this could have been possible. Again, thanks for your replies. Regards, -- Gaurav Ghimire System Administrator - Systems (R&D) Subisu Cablenet (P.) Ltd. 148 Thirbum Sadak Baluwatar, Kathmandu Nepal T: 00977 1 4429616/17 Ext.: 121 F: 00977 1 4430572 http://www.subisu.net.np (An ISO 9001:2000 Certified Company)
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4B304627.5020209>