Re: security/portsentry removal

> On Apr 8, 2023, at 3:55 PM, Pete Wright <pete@nomadlogic.org> wrote:
> 
> 
> On 4/8/23 12:47 AM, Andrea Venturoli wrote:
>> On 4/8/23 04:56, Mel Pilgrim wrote:
>> 
>>>> Can anyone suggest something equivalent in the port tree?
>>> 
>>> Have a look at fail2ban.  It's design intent is monitoring running services, but really it's just a set of log file regex filters. Anything that logs network activity can feed it.
>> 
>> Hello and thanks for answering.
>> In fact I'm already using fail2ban for "running" services.
>> 
>> Portsenty is a bit different, in that it's conceived to listen on ports used by non-running services.
>> I.e.
>> Got a SMTP server? Let fail2ban check its logs.
>> No? Let portsentry listen on port 25.
>> 
>> I thought about writing regexes for fail2ban to check if ipfw denied access to ports where portsentry used to listen.
>> So far it's the best idea I've come up with, but I hoped for something simpler (i.e. more close to how portsentry worked).
>> 
> 
> would blacklistd(8) meet your requirements?  i use it to block ssh login spammers with decent success.  its part of the base system as well, but does require pf.
> 
> -p
> 
> 

blacklistd is a good product as it's available out of the box however from my experience fail2ban does a better job. So far I recall blacklistd is supported only by ssh and postfix. One more thing is blacklistd does not detect brute for attack of invalid users in ssh.

Kind regards,
Moin(with all hats off)