machine hangs on occasion - correlated with ssh break-in attempts

[David Wolfskill]

On Thu, Aug 21, 2008 at 01:38:38PM -0400, Mikhail Teterin wrote:
> ...
> I wrote an awk-script, which adds a block of the attacking IP-address to 
> the ipfw-rules after three such "invalid user" attempts with:
> 
>    ipfw add 550 deny ip from ip
> 
> The script is fed by syslogd directly -- through a syslog.conf rule 
> ("|/opt/sbin/auth-log-watch").
> ... 

At a previous employer, we were building mail relay boxen (FreeBSD
6.0 - 6.2 timeframe); at one point, It Was Decided that rather than
having /var/log/maillog written directly by syslogd(8), syslogd(8)
would feed a Perl script that would do some "Database Things" and
then get around to appending to /var/log/maillog itself.

While the amount of work involved was assuredly greater in that case
than in yours, those of us who were actually building and running the
relays in question were very unsurprised when Postfix performance
improved significantly following a redesign of the application, so that
/var/log/maillog was written by syslogd(8) and the Perl script was
effectively fed via "tail -F".

> Once in a while I manually flush these rules... I this a good (safe) 
> reaction?

I also see such things (on my home "firewall" machine); my approach
is quite a bit different.  If folks are interested, I could probably
discuss it a bit, but I believe that would be, at best, tangential
to your note, and thus ought not be crafted as if it were part of
the thread -- and definitely does not warrant the cross-post.

> ...

Peace,
david
-- 
David H. Wolfskill				david at catwhisker.org
Depriving a girl or boy of an opportunity for education is evil.

See http://www.catwhisker.org/~david/publickey.gpg for my public key.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 195 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-stable/attachments/20080821/180a843a/attachment.pgp