RFC: Fam/Python based script for bruteforce blocking
Brandon Low
lostlogic at lostlogicx.com
Sat Dec 26 21:32:05 UTC 2009
On 2009-12-19 (Sat) at 03:38:26 -0900, Mel Flynn wrote:
> Well, my first problem with it is obviously that I now need python, where I
> don't want python. In fact, my firewalls/gateways only have /bin/sh and
> /bin/csh as scripting languages. It's one reason I switched from custom
> sysutils/grok rules to using security/sshguard - it got me rid of perl.
That makes sense -- I'm using it on a general purpose server as opposed
to a dedicated firewall box.
> Secondly, you have matching rules coded in the script. If there would be one
> reason to prefer this script over sshguard, it would be that I can add attack
> patterns more easily, in config file with a syntax that's not too obscure.
Interesting thought, I will definitely make the matching rules
configurable and potentially make possible to monitor multiple logfiles
for attack patterns (potentially configurable per-logfile).
> Last but not least, you assume that once an IP is at fault, I want that IP
> blocked permanently. In practice you end up with an extremely large table that
> might eventually be too big for a default PF table and recurring scans from
> the same IP are not that common (you see the IP in a 12-24 hour window, then
> not again).
You've misread the script. IPs are expired after a configurable number
of seconds.
>
> Hope this helps.
Thanks kindly for the feedback!
--Brandon
More information about the freebsd-questions
mailing list