Re: pf and hosts.deny

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

[view in full thread]

From: Lars Noodén <larsnooden@...>

Cc: misc <misc@...>

Subject: Re: pf and hosts.deny

Date: Saturday, April 19, 2008 - 12:13 pm

Ok. I'm slow enough writing that others have started to answer also...

Vikas N Kumar wrote:

quoted text

> ... I have set maximum number
> of tries to just 2, I would like to be able to note down the IP address
> (after say 10 unsuccessful login attempts) from where the attacks are coming
> in and then dynamically add them to hosts.deny for the next few days or
> permanently...

Working with hosts.deny is not a pf feature, but it might be glued
together.

Curt Micol wrote:

quoted text

> I think this is what you want:
> http://home.nuug.no/~peter/pf/en/bruteforce.html

As Curt just answered, PF tables are an option. See also
http://www.openbsd.org/cgi-bin/man.cgi?query=pf.conf

I am getting good mileage out of "The Book of PF", and tables are
covered there pp 67-71 and pp 31-32. Maybe using PF's tables is enough
for you.

There are at least four pieces that might be useful if you really want a
script to add to hosts.deny.
1) pf.conf
2) pfctl
3) sshd_config
4) /var/log/authlog

Henri Salo wrote:

quoted text

> There was a topic in a misc 2008-04-16 with subject "PF ssh bruteforce
> logging and blocking". You should read it.

Basically, you can have the blocked addresses exported from the PF
table. From there they can be imported via a script into hosts.deny or
anywhere else you might want. The tool for that is pfctl with the "-t"
and "-T show" options:
http://www.openbsd.org/cgi-bin/man.cgi?query=pfctl

However, PF only logs the connections attempts. The sshd_config keyword
"MaxAuthTries" will specifically log failed attempts to log in, per
connection, if they exceed 1/2 the maximum number of tries for that
connection.
http://www.openbsd.org/cgi-bin/man.cgi?query=sshd_config
However, if each attempt is on a new connection, then that's not
necessarily a help for you.

The failed attempts will also show up in /var/log/authlog, regardless.

e.g. Apr 16 17:13:27 +gateway sshd[12708]: Failed password
for root from 218.106.52.91 port 58224 ssh2

And that can be parsed for addresses.

Regards,
-Lars

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

Messages in current thread:

pf and hosts.deny, Vikas N Kumar, (Sat Apr 19, 10:02 am)

Re: pf and hosts.deny, Vikas N Kumar, (Sun Apr 20, 6:37 pm)

Re: pf and hosts.deny, Lars Noodén, (Sat Apr 19, 12:13 pm)

Re: pf and hosts.deny, Henri Salo, (Sat Apr 19, 11:36 am)

Re: pf and hosts.deny, Curt Micol, (Sat Apr 19, 10:27 am)


linux-kernel:
Greg Kroah-Hartman	[PATCH 002/196] Chinese: rephrase English introduction in HOWTO
Tarkan Erimer	Re: Dual-Licensing Linux Kernel with GPL V2 and GPL V3
Amit K. Arora	[RFC] Heads up on sys_fallocate()
Linus Torvalds	Re: 2.6.25-rc2 System no longer powers off after suspend-to-disk. Screen becomes g...
git:

linux-netdev:
David Miller	[GIT]: Networking
Jarek Poplawski	Re: [PATCH] pkt_sched: Destroy gen estimators under rtnl_lock().
Gerrit Renker	[PATCH 27/37] dccp: Integration of dynamic feature activation - part 2 (server side)
Ray Lee	Re: [BUG] New Kernel Bugs
openbsd-misc:

Re: pf and hosts.deny

Online users