Limit connections doesn't work
Torsten Kersandt
torsten at cnc-london.net
Sun Dec 6 16:17:48 UTC 2009
HI
I personally have all ssh and alike ports closed on my servers.
If I want to connect to the server per ssh or whatever function, I login to a hidden php which adds my current IP to a sql table.
I use sql because I'm not the only one using this and want to keep track which admin is logging in.
A cron job is running every minute looking in the table and adding the new ip addresses to the pf include file and reloading PF
Every night at 4am, I empty the text file and reload pf.
I know that this could be done more elegant but KISS is what I like.
In addition I have tcpserver running a perl script on a non privileged port to add a IP to the sql tables if apache fails.
#!/bin/sh
### MySQL Setup ###
MUSER="username"
MPASS="password"
MHOST="localhost"
MYSQL="/usr/local/bin/mysql"
#
### Get all new IP addresses ###
DBS="$($MYSQL -u $MUSER -h $MHOST -p$MPASS -Bse 'select ipAddress from intranet.ipCleared WHERE `timestamp` > (UNIX_TIMESTAMP()-60)')"
for ip in $DBS
do
## this bit is emailed to me over cron run-output if a new IP address was found
echo $ip >> /usr/local/etc/pf/pf.VNCallow
echo "Added $ip to VNC Access from MYSQL Table"
/etc/rc.d/pf reload
done
More information about the freebsd-pf
mailing list