Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 17 Feb 2006 15:07:52 +1100
From:      Carl Makin <carl@xena.IPAustralia.gov.au>
To:        Atanas <atanas@asd.aplus.net>
Cc:        freebsd-stable@freebsd.org
Subject:   Re: SSH login takes very long time...sometimes
Message-ID:  <43F54C18.5000704@xena.ipaustralia.gov.au>
In-Reply-To: <43F5322C.1090603@asd.aplus.net>
References:  <59e2ee810512250841t75157e62rec9dc389ac716534@mail.gmail.com>	<20051227101621.GA16276@walton.maths.tcd.ie>	<86irrfoix5.fsf@xps.des.no>	<43F4E3B0.1090806@asd.aplus.net>	<43F514BD.608@cytexbg.com> <43F5322C.1090603@asd.aplus.net>
next in thread | previous in thread | raw e-mail | index | archive | help 
Hi Atanas,

Atanas wrote:
> Does anybody know whether ipfw (or something else within FreeBSD-4) is 
> capable of setting connection rate limits?

I'm using SEC to monitor the auth.log file and block any IP addresses 
that fail a password 3 times within 60 seconds.  I use the following 
sec.conf file;

------------------------------------------------
type=SingleWithThreshold
ptype=RegExp
pattern=Failed password for (\S+) from (\S+) port (\S+) ssh2
desc=SSH attack from $2
action=shellcmd /usr/local/bin/ipfwadd.sh "$2" ; pipe 'Failed password 
for $1 from $2' /usr/bin/mail
-s 'SSH Attack from $2' your@email.address
window=60
thresh=3

type=SingleWithThreshold
ptype=RegExp
pattern=Illegal user (\S+) from (\S+)
desc=SSH attack from $2
action=shellcmd /usr/local/bin/ipfwadd.sh "$2" ; pipe 'Illegal user $1 
from $2' /usr/bin/mail -s 'SSH
 Attack from $2' your@email.address
window=60
thresh=3

---------------------------------------------------------------------

and I'm still using ipfw so ipfwadd.sh looks like this;

--------------------------------------------------------------------
#!/bin/sh

/sbin/ipfw -q add 15 deny ip from $1 to any in via tun0
--------------------------------------------------------------------

and run it with
sec -conf=/usr/local/etc/sec.conf -input=/var/log/auth.log 
-pid=/var/run/sec.pid -detach


Hope this helps,


Carl.

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?43F54C18.5000704>