Re: pf and hosts.deny

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]
Cc: misc <misc@...>
Date: Saturday, April 19, 2008 - 12:13 pm

Ok. I'm slow enough writing that others have started to answer also...

Vikas N Kumar wrote:

Working with hosts.deny is not a pf feature, but it might be glued
together.

Curt Micol wrote:

As Curt just answered, PF tables are an option. See also
http://www.openbsd.org/cgi-bin/man.cgi?query=pf.conf

I am getting good mileage out of "The Book of PF", and tables are
covered there pp 67-71 and pp 31-32. Maybe using PF's tables is enough
for you.

There are at least four pieces that might be useful if you really want a
script to add to hosts.deny.
1) pf.conf
2) pfctl
3) sshd_config
4) /var/log/authlog

Henri Salo wrote:

Basically, you can have the blocked addresses exported from the PF
table. From there they can be imported via a script into hosts.deny or
anywhere else you might want. The tool for that is pfctl with the "-t"
and "-T show" options:
http://www.openbsd.org/cgi-bin/man.cgi?query=pfctl

However, PF only logs the connections attempts. The sshd_config keyword
"MaxAuthTries" will specifically log failed attempts to log in, per
connection, if they exceed 1/2 the maximum number of tries for that
connection.
http://www.openbsd.org/cgi-bin/man.cgi?query=sshd_config
However, if each attempt is on a new connection, then that's not
necessarily a help for you.

The failed attempts will also show up in /var/log/authlog, regardless.

e.g. Apr 16 17:13:27 +gateway sshd[12708]: Failed password
for root from 218.106.52.91 port 58224 ssh2

And that can be parsed for addresses.

Regards,
-Lars

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

Messages in current thread:
pf and hosts.deny, Vikas N Kumar, (Sat Apr 19, 10:02 am)
Re: pf and hosts.deny, Vikas N Kumar, (Sun Apr 20, 6:37 pm)
Re: pf and hosts.deny, Lars Noodén, (Sat Apr 19, 12:13 pm)
Re: pf and hosts.deny, Henri Salo, (Sat Apr 19, 11:36 am)
Re: pf and hosts.deny, Curt Micol, (Sat Apr 19, 10:27 am)