something like bruteblock for pf?
Len Conrad
LConrad at Go2France.com
Sun Aug 23 15:49:29 UTC 2009
>n 08/22/2009 10:57 PM Peter Maxwell wrote:
>>2009/8/23 Len Conrad <LConrad at go2france.com>:
>>>I'm looking for something like bruteblock that logwatches (smtp, ssh, ftp, whatever) and inserts/removes TCP block rules into pf for x hours, so the protocol daemons are involved.
>...
>>Before implementing something like this, I would urge caution: if what
>>you're asking was actually of any use, someone else would probably
>>have done it properly. I can't imagine how log entries from an ftp
>>server, say, are going to be related to your smtp server security? If
>>it's a simple connection management, then
>>max-src-conn/max-src-conn-rate might be a more robust solution.
>
>http://johan.fredin.info/openbsd/block_ssh_bruteforce.html explains how to use max-src-conn-rate and expiretable.
>
># pkg_info -x expiretable
>Information for expiretable-0.6:
>
>Comment:
>Utility to remove entries from the pf(4) table based on their age
>
>Description:
>Expiretable is a utility used to remove entries from the pf(4) table
>based on their age.
>
>The age in question being the amount of time that has passed since
>the statistics for each entry in the target table was last cleared.
>
>WWW: http://expiretable.fnord.se/
I have no problem putting IPs into pf, it's expiring them that was blocking me, but expiretable fixes that.
I don't use pf for protecting these "sacrificial" machines generally, only for reactive blocking.
thanks
Len
More information about the freebsd-pf
mailing list