From owner-freebsd-questions@FreeBSD.ORG Mon Sep 22 20:05:18 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9D53E1065676 for ; Mon, 22 Sep 2008 20:05:18 +0000 (UTC) (envelope-from the.real.david.allen@gmail.com) Received: from wa-out-1112.google.com (wa-out-1112.google.com [209.85.146.177]) by mx1.freebsd.org (Postfix) with ESMTP id 6F3808FC1A for ; Mon, 22 Sep 2008 20:05:13 +0000 (UTC) (envelope-from the.real.david.allen@gmail.com) Received: by wa-out-1112.google.com with SMTP id j4so1114021wah.3 for ; Mon, 22 Sep 2008 13:05:12 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:in-reply-to:mime-version:content-type :content-transfer-encoding:content-disposition:references; bh=3AvMbnQeMJLh3HylgWonYQcWTUS4L25qQMymx/eain4=; b=pUi6LkpiVN8jSiR9rWUIdSM/gcPv9pNZ0EijhbMTGn9TMAXv10R3w6XXejk69Lr5Oz Nm7JA3RtMlWqVWT7/g3cjJBIOAeGlD9wpOBHKP7YV9gwp68QgO8Gww06FXy8ef9VFeTo evWQ4wAz69rM8csQzrYFANIkuvB8wgnZlvnBY= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:in-reply-to:mime-version :content-type:content-transfer-encoding:content-disposition :references; b=MZp9I4CrXo3oFQUlNlvL1wUgC6Hal6qzuv1NJ6oQp+FZfInoYR3TmwUz8/fFo88Ofh VsrIheBL6bV5cJ4lc9XfldnA+s1HZL24yfdHIHuqgsr+RG90up3gDNvraaZnYm3IEwRo JY6J2qBsU23CTDT1mX1suIbtFqJIQmhNXuhag= Received: by 10.114.144.1 with SMTP id r1mr5187229wad.97.1222113912557; Mon, 22 Sep 2008 13:05:12 -0700 (PDT) Received: by 10.114.47.16 with HTTP; Mon, 22 Sep 2008 13:05:12 -0700 (PDT) Message-ID: <2daa8b4e0809221305v6f5000f1w11090e4a85c21162@mail.gmail.com> Date: Mon, 22 Sep 2008 13:05:12 -0700 From: "David Allen" To: freebsd-questions@freebsd.org In-Reply-To: <20080922200121.289abdcb.ghirai@ghirai.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <2daa8b4e0809220817v10c4a657l6ee76f853a62b246@mail.gmail.com> <20080922200121.289abdcb.ghirai@ghirai.com> Subject: Re: Dealing with portscans X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 22 Sep 2008 20:05:18 -0000 On 9/22/08, Ghirai wrote: > On Mon, 22 Sep 2008 08:17:02 -0700 > "David Allen" wrote: > >> Over the last few weeks I've been getting numerous ports scans, each >> from unique hosts. The situation is more of an annoyance than >> anything else, but I would prefer not seeing or having to deal with >> an extra 20-30K entries in my logs as was the case recently. >> >> I use pf for firewalling, and while it does offer different methods >> (max-src-conn, max-src-conn-rate, etc.) for dealing with abusive >> hosts, it doesn't seem to offer much in the way of dealing with >> repeated blocked (non-stateful) connection attempts from a given host. >> >> Short of running something like snort, is there a suitable tool for >> dealing with this? If not, I'll probably resort to running a cronjob >> to parse the logfile and add the offending hosts manually. > > Add the abusive hosts to a table x, via max-src-conn, max-src-conn-rate, > etc., then add near the top of your ruleset: > > block drop quick from You either didn't read my message or have misunderstood pf. The features you (and I) mention apply only to rules which create state. If your rules are written for port 22, 25, and 80 traffic, for example, you can most certainly can make use of those features. However, receiving SYN packets to ports 1024-40000 isn't going to match anything than a default "block all" rule, which creates no state. That gives you zero such features to work with, but does give you 38976 individual log entries.