Automatically add attacks to deny list?
Olivier Nicole
on at cs.ait.ac.th
Mon Oct 3 18:19:03 PDT 2005
> Whenever someone tries a portscan or http server vulnerability scan on my=20
> system, I have to manually add their ip in my /etc/ipfw.conf file such as:
> add 100 deny all from xx.xxx.xxx.xxx to any
>
> Is there a way, without enabling blackhole, to dynamically add ips to my=20
> blacklist after a certain packet/sec limit or some other way?
I'd say that the problem is not to find how to do that, but to decide
whether it is a good thing to automatically deny an IP.
There must be some plugin to snort that do what you want, but the risk
is either your filtering is too soft and you miss blocking some IP or
too harsh and you block some legitimate traffic.
Olivier
More information about the freebsd-ipfw
mailing list