Date: Fri, 17 Feb 2006 15:07:52 +1100 From: Carl Makin <carl@xena.IPAustralia.gov.au> To: Atanas <atanas@asd.aplus.net> Cc: freebsd-stable@freebsd.org Subject: Re: SSH login takes very long time...sometimes Message-ID: <43F54C18.5000704@xena.ipaustralia.gov.au> In-Reply-To: <43F5322C.1090603@asd.aplus.net> References: <59e2ee810512250841t75157e62rec9dc389ac716534@mail.gmail.com> <20051227101621.GA16276@walton.maths.tcd.ie> <86irrfoix5.fsf@xps.des.no> <43F4E3B0.1090806@asd.aplus.net> <43F514BD.608@cytexbg.com> <43F5322C.1090603@asd.aplus.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi Atanas, Atanas wrote: > Does anybody know whether ipfw (or something else within FreeBSD-4) is > capable of setting connection rate limits? I'm using SEC to monitor the auth.log file and block any IP addresses that fail a password 3 times within 60 seconds. I use the following sec.conf file; ------------------------------------------------ type=SingleWithThreshold ptype=RegExp pattern=Failed password for (\S+) from (\S+) port (\S+) ssh2 desc=SSH attack from $2 action=shellcmd /usr/local/bin/ipfwadd.sh "$2" ; pipe 'Failed password for $1 from $2' /usr/bin/mail -s 'SSH Attack from $2' your@email.address window=60 thresh=3 type=SingleWithThreshold ptype=RegExp pattern=Illegal user (\S+) from (\S+) desc=SSH attack from $2 action=shellcmd /usr/local/bin/ipfwadd.sh "$2" ; pipe 'Illegal user $1 from $2' /usr/bin/mail -s 'SSH Attack from $2' your@email.address window=60 thresh=3 --------------------------------------------------------------------- and I'm still using ipfw so ipfwadd.sh looks like this; -------------------------------------------------------------------- #!/bin/sh /sbin/ipfw -q add 15 deny ip from $1 to any in via tun0 -------------------------------------------------------------------- and run it with sec -conf=/usr/local/etc/sec.conf -input=/var/log/auth.log -pid=/var/run/sec.pid -detach Hope this helps, Carl.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?43F54C18.5000704>