From owner-freebsd-questions@FreeBSD.ORG Mon Sep 22 17:01:31 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 228421065675 for ; Mon, 22 Sep 2008 17:01:31 +0000 (UTC) (envelope-from ghirai@ghirai.com) Received: from ghirai.com (ghirai.com [193.33.187.90]) by mx1.freebsd.org (Postfix) with ESMTP id DC5DE8FC28 for ; Mon, 22 Sep 2008 17:01:25 +0000 (UTC) (envelope-from ghirai@ghirai.com) Received: from deimos.bsd.nix (unknown [89.123.56.243]) by ghirai.com (Postfix) with ESMTPSA id E666B16FF4 for ; Mon, 22 Sep 2008 18:01:12 +0100 (BST) Date: Mon, 22 Sep 2008 20:01:21 +0300 From: Ghirai To: freebsd-questions@freebsd.org Message-Id: <20080922200121.289abdcb.ghirai@ghirai.com> In-Reply-To: <2daa8b4e0809220817v10c4a657l6ee76f853a62b246@mail.gmail.com> References: <2daa8b4e0809220817v10c4a657l6ee76f853a62b246@mail.gmail.com> X-Mailer: Sylpheed 2.5.0 (GTK+ 2.12.11; i386-portbld-freebsd7.0) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Subject: Re: Dealing with portscans X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 22 Sep 2008 17:01:31 -0000 On Mon, 22 Sep 2008 08:17:02 -0700 "David Allen" wrote: > Over the last few weeks I've been getting numerous ports scans, each > from unique hosts. The situation is more of an annoyance than > anything else, but I would prefer not seeing or having to deal with > an extra 20-30K entries in my logs as was the case recently. > > I use pf for firewalling, and while it does offer different methods > (max-src-conn, max-src-conn-rate, etc.) for dealing with abusive > hosts, it doesn't seem to offer much in the way of dealing with > repeated blocked (non-stateful) connection attempts from a given host. > > Short of running something like snort, is there a suitable tool for > dealing with this? If not, I'll probably resort to running a cronjob > to parse the logfile and add the offending hosts manually. Add the abusive hosts to a table x, via max-src-conn, max-src-conn-rate, etc., then add near the top of your ruleset: block drop quick from Hope it helps. Regards, Ghirai.