Date: Thu, 21 Aug 2008 11:31:30 -0700 From: David Wolfskill <david@catwhisker.org> To: Mikhail Teterin <mi+mill@aldan.algebra.com> Cc: freebsd-security@freebsd.org, freebsd-stable@freebsd.org Subject: Re: machine hangs on occasion - correlated with ssh break-in attempts Message-ID: <20080821183130.GQ801@bunrab.catwhisker.org> In-Reply-To: <48ADA81E.7090106@aldan.algebra.com> References: <48ADA81E.7090106@aldan.algebra.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--+r+clu82y77Ss1pj
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Thu, Aug 21, 2008 at 01:38:38PM -0400, Mikhail Teterin wrote:
> ...
> I wrote an awk-script, which adds a block of the attacking IP-address to=
=20
> the ipfw-rules after three such "invalid user" attempts with:
>=20
> ipfw add 550 deny ip from ip
>=20
> The script is fed by syslogd directly -- through a syslog.conf rule=20
> ("|/opt/sbin/auth-log-watch").
> ...=20
At a previous employer, we were building mail relay boxen (FreeBSD
6.0 - 6.2 timeframe); at one point, It Was Decided that rather than
having /var/log/maillog written directly by syslogd(8), syslogd(8)
would feed a Perl script that would do some "Database Things" and
then get around to appending to /var/log/maillog itself.
While the amount of work involved was assuredly greater in that case
than in yours, those of us who were actually building and running the
relays in question were very unsurprised when Postfix performance
improved significantly following a redesign of the application, so that
/var/log/maillog was written by syslogd(8) and the Perl script was
effectively fed via "tail -F".
> Once in a while I manually flush these rules... I this a good (safe)=20
> reaction?
I also see such things (on my home "firewall" machine); my approach
is quite a bit different. If folks are interested, I could probably
discuss it a bit, but I believe that would be, at best, tangential
to your note, and thus ought not be crafted as if it were part of
the thread -- and definitely does not warrant the cross-post.
> ...
Peace,
david
--=20
David H. Wolfskill david@catwhisker.org
Depriving a girl or boy of an opportunity for education is evil.
See http://www.catwhisker.org/~david/publickey.gpg for my public key.
--+r+clu82y77Ss1pj
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (FreeBSD)
iEYEARECAAYFAkittIIACgkQmprOCmdXAD22uwCfbM1kpezwsRsPJt/4t20j0LBN
HSUAnjLBhFMC02ACxdm8wk1QQH7WARup
=Bmrv
-----END PGP SIGNATURE-----
--+r+clu82y77Ss1pj--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20080821183130.GQ801>