auth.log & intruder prevention

Paul Hamilton paulh at bdug.org.au
Wed Jan 25 19:03:55 PST 2006 

Hi Daniel,

On your web site, you show how easy it is to convert to IPTABLES.  I presume
then it would be quite easy to reconfigure to use IPFW as well?

Cheers,

Paul

> -----Original Message-----
> From: owner-freebsd-questions at freebsd.org 
> [mailto:owner-freebsd-questions at freebsd.org] On Behalf Of Daniel Gerzo
> Sent: Wednesday, 25 January 2006 7:58 AM
> To: Ilias.Sachpazidis at igd.fraunhofer.de
> Cc: questions at freebsd.org
> Subject: Re: auth.log & intruder prevention
> 
> 
> On Tue, Jan 24, 2006 at 10:02:26PM +0100, Ilias Sachpazidis wrote:
> > Hi Everyone,
> 
> hello,
>    
> > 
> > In auth.log of my FreeBSD boxes I got many requests to port 
> 22, as you 
> > can see below. ----begin of snippet
> > Jan 22 11:21:50 zeus sshd[92900]: Failed password for 
> illegal user cracking
> > from 65.208.188.105 port 58344 ssh2
> > Jan 22 11:21:53 zeus sshd[92902]: Failed password for 
> illegal user hacking
> > from 65.208.188.105 port 58443 ssh2
> > ----end of snippet
> > 
> > I am wondering if any script is available to prevent hundreds of 
> > attempts on port 22 from external IPs that constantly 
> checking user & 
> > passwords on my FreeBSD PCs.
> > 
> > What I am looking for is a deamon application/script that 
> receives the 
> > recorded data from auth.log and detects if any remote client (IP 
> > address) is checking user and passwords (Detection pattern: 
> 5 missing 
> > attempts in 1 min). On a successful detection, the script 
> should add 
> > an ipfw rule rejecting further IP packets from the specific remote 
> > address.
> > 
> > Is any script or something similar available so far?
> 
> I've written a BruteForceBlocer, you can install it from 
> ports as well, check security/bruteforceblocker.
> 
> Hope you will like it.
> 
> -- 
> Sincerely,
>    Daniel Gerzo
> _______________________________________________
> freebsd-questions at freebsd.org mailing list 
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to 
> "freebsd-questions-unsubscribe at freebsd.org"
> 
>

More information about the freebsd-questions mailing list