RFC: Fam/Python based script for bruteforce blocking
Mel Flynn
mel.flynn+fbsd.questions at mailing.thruhere.net
Sat Dec 19 12:38:30 UTC 2009
On Thursday 17 December 2009 16:34:22 Brandon Low wrote:
> I'd love to hear other people's feedback on this approach of using FAM +
> auth.log to implement this and/or to hear of other superior approaches
> to achieving this result.
Well, my first problem with it is obviously that I now need python, where I
don't want python. In fact, my firewalls/gateways only have /bin/sh and
/bin/csh as scripting languages. It's one reason I switched from custom
sysutils/grok rules to using security/sshguard - it got me rid of perl.
Secondly, you have matching rules coded in the script. If there would be one
reason to prefer this script over sshguard, it would be that I can add attack
patterns more easily, in config file with a syntax that's not too obscure.
Last but not least, you assume that once an IP is at fault, I want that IP
blocked permanently. In practice you end up with an extremely large table that
might eventually be too big for a default PF table and recurring scans from
the same IP are not that common (you see the IP in a 12-24 hour window, then
not again).
Hope this helps.
--
Mel
More information about the freebsd-questions
mailing list