Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 17 Sep 2008 23:35:04 -0300
From:      Agus <agus.262@gmail.com>
To:        Mel <fbsd.questions@rachie.is-a-geek.net>
Cc:        "Marc G. Fournier" <scrappy@hub.org>, freebsd-questions@freebsd.org
Subject:   Re: Auto blacklist ssh connections ...
Message-ID:  <fda61bb50809171935y63bfb7a4jebbd0064c53bba7@mail.gmail.com>
In-Reply-To: <200809180149.17189.fbsd.questions@rachie.is-a-geek.net>
References:  <14143EECEC1CC52A4BC39AC3@ganymede.hub.org> <200809180149.17189.fbsd.questions@rachie.is-a-geek.net>
next in thread | previous in thread | raw e-mail | index | archive | help 
2008/9/17 Mel <fbsd.questions@rachie.is-a-geek.net>:
> On Thursday 18 September 2008 01:15:45 Marc G. Fournier wrote:
>> Does anyone know of a utility that I can use with sshd to auto-block by IP
>> if there are more then N failed attempts in a row?
>
> # crontab -l
> @reboot /usr/sbin/daemon -p /var/run/grok-ssh.pid /usr/local/bin/grok -f /etc/pf/grok-ssh.conf
>
> # grep -- -0F /usr/local/bin/grok
> my $TAIL = "/usr/bin/tail -0F";
>
> ^^^^ so that newsyslog doesn't interfere.
>
> $ cat /etc/pf/grok-ssh.conf
> file "/var/log/auth.log" {
>        type "ssh-illegal-user" {
>                match = "Invalid user %USERNAME% from %IP%";
>                threshold = 5;   # 5 hits ...
>                key = "%IP%";    # from a single ip ...
>                interval = 60;   # in 1 minutes
>                reaction = "/root/bin/pfscanners %IP%"; # permanent
>        };
>
>        type "ssh-scan-possible" {
>                match = "Did not receive identification string from %IP%";
>                threshold = 3;
>                interval = 60;
>                reaction = "/sbin/pfctl -t scanners -Tadd %IP%"; #temporary
>        };
> };
>
> $ cat /root/bin/pfscanners
> #!/bin/sh
>
> while( test ! -z "$1" ); do
>        /sbin/pfctl -t scanners -Tadd $1
>        echo $1 >> /etc/pf/scanners.table
>        shift
> done
>
> $ grep scanners /etc/pf.conf
> table <scanners> persist file "/etc/pf/scanners.table"
> block in log on $ext_if from <scanners>
>
> --
> Mel
>
> Problem with today's modular software: they start with the modules
>    and never get to the software part.
> _______________________________________________
> freebsd-questions@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"
>

Cool utilities..:)

Also you may consider if you want to watch another logs and alert you
about that...you should try sec.pl....its in the ports...
Very configurable and helps you with all your logs you want....
>From there you could add it to the hosts.allow or you could lunch a
script or a FW rule...

Cheers,
Agustin

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?fda61bb50809171935y63bfb7a4jebbd0064c53bba7>