SSH login takes very long time...sometimes
Carl Makin
carl at xena.IPAustralia.gov.au
Thu Feb 16 20:07:59 PST 2006
Hi Atanas,
Atanas wrote:
> Does anybody know whether ipfw (or something else within FreeBSD-4) is
> capable of setting connection rate limits?
I'm using SEC to monitor the auth.log file and block any IP addresses
that fail a password 3 times within 60 seconds. I use the following
sec.conf file;
------------------------------------------------
type=SingleWithThreshold
ptype=RegExp
pattern=Failed password for (\S+) from (\S+) port (\S+) ssh2
desc=SSH attack from $2
action=shellcmd /usr/local/bin/ipfwadd.sh "$2" ; pipe 'Failed password
for $1 from $2' /usr/bin/mail
-s 'SSH Attack from $2' your at email.address
window=60
thresh=3
type=SingleWithThreshold
ptype=RegExp
pattern=Illegal user (\S+) from (\S+)
desc=SSH attack from $2
action=shellcmd /usr/local/bin/ipfwadd.sh "$2" ; pipe 'Illegal user $1
from $2' /usr/bin/mail -s 'SSH
Attack from $2' your at email.address
window=60
thresh=3
---------------------------------------------------------------------
and I'm still using ipfw so ipfwadd.sh looks like this;
--------------------------------------------------------------------
#!/bin/sh
/sbin/ipfw -q add 15 deny ip from $1 to any in via tun0
--------------------------------------------------------------------
and run it with
sec -conf=/usr/local/etc/sec.conf -input=/var/log/auth.log
-pid=/var/run/sec.pid -detach
Hope this helps,
Carl.
More information about the freebsd-stable
mailing list