IP Banning (Using IPFW)
Philip Hallstrom
freebsd at philip.pjkh.com
Sun Feb 5 12:21:11 PST 2006
> I was wondering if there's some sort of port available that can actively ban
> IPs that try and bruteforce a service such as SSH or Telnet, by scanning the
> /var/log/auth.log log for Regex such as "Illegal User" or "LOGIN FAILURES",
> and then using IPFW to essentially deny (ban) that IP for a certain period of
> time or possibly forever.
>
> I've seen a very useful one that works for linux (fail2ban), and was
> wondering if one exists for FreeBSD's IPFW?
There are some in the ports, but you can write your own pretty easy too.
The one thing I didn't like about the ones in the ports is the app was
responsible for removing the rules after a set amount of time. Which
could be a problem if that app crashed for some reason. You could lock
yourself out permanently...
Here's a quick perl script I wrote that does what you want...
http://pastebin.com/540575
Combine that with these two crontab entries:
0-59/4 * * * * /sbin/ipfw delete 501 >/dev/null 2>&1
2-59/4 * * * * /sbin/ipfw delete 500 >/dev/null 2>&1
-philip
More information about the freebsd-questions
mailing list