Auto blacklist ssh connections ...

Agus agus.262 at gmail.com
Thu Sep 18 02:35:05 UTC 2008 

2008/9/17 Mel <fbsd.questions at rachie.is-a-geek.net>:
> On Thursday 18 September 2008 01:15:45 Marc G. Fournier wrote:
>> Does anyone know of a utility that I can use with sshd to auto-block by IP
>> if there are more then N failed attempts in a row?
>
> # crontab -l
> @reboot /usr/sbin/daemon -p /var/run/grok-ssh.pid /usr/local/bin/grok -f /etc/pf/grok-ssh.conf
>
> # grep -- -0F /usr/local/bin/grok
> my $TAIL = "/usr/bin/tail -0F";
>
> ^^^^ so that newsyslog doesn't interfere.
>
> $ cat /etc/pf/grok-ssh.conf
> file "/var/log/auth.log" {
>        type "ssh-illegal-user" {
>                match = "Invalid user %USERNAME% from %IP%";
>                threshold = 5;   # 5 hits ...
>                key = "%IP%";    # from a single ip ...
>                interval = 60;   # in 1 minutes
>                reaction = "/root/bin/pfscanners %IP%"; # permanent
>        };
>
>        type "ssh-scan-possible" {
>                match = "Did not receive identification string from %IP%";
>                threshold = 3;
>                interval = 60;
>                reaction = "/sbin/pfctl -t scanners -Tadd %IP%"; #temporary
>        };
> };
>
> $ cat /root/bin/pfscanners
> #!/bin/sh
>
> while( test ! -z "$1" ); do
>        /sbin/pfctl -t scanners -Tadd $1
>        echo $1 >> /etc/pf/scanners.table
>        shift
> done
>
> $ grep scanners /etc/pf.conf
> table <scanners> persist file "/etc/pf/scanners.table"
> block in log on $ext_if from <scanners>
>
> --
> Mel
>
> Problem with today's modular software: they start with the modules
>    and never get to the software part.
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "freebsd-questions-unsubscribe at freebsd.org"
>

Cool utilities..:)

Also you may consider if you want to watch another logs and alert you
about that...you should try sec.pl....its in the ports...
Very configurable and helps you with all your logs you want....
>From there you could add it to the hosts.allow or you could lunch a
script or a FW rule...

Cheers,
Agustin

More information about the freebsd-questions mailing list