git: sshlockout - use a PF table instead of IPFW
bycn82
bycn82 at gmail.com
Wed Jan 21 05:10:45 PST 2015
*the IP address will be blocked from creating new SSH connection for 10
minutes if IP failed to login for 3 times within 5 minutes.*
*I think, it should be the requirement.*
*I used to resolve this with a very simple perl script, I named that script
"stack.pl <http://stack.pl>", tail and other command can print the IP
address from the log file, and the IP address will pipe into the stack.pl
<http://stack.pl>*
*the stack.pl <http://stack.pl> will check/maintains the mapping of
TIME=>IP, and call command to block the IP, and at that time, I use cronjob
to remove the IP from iptables*
*Regards,*
*Bill Yuan*
On 21 January 2015 at 15:23, Matthew Dillon <dillon at backplane.com> wrote:
> It would be a bad idea to allow arbitrary commands to be executed. That
> opens up a whole slew of possible breakages and security issues. I don't
> mind there being options to add specifically to IPFW or PF (as long as PF
> is the default), and I don't mind there being an option to be able to
> specify the IPFW rule when in IPFW mode. But we should not get too fancy.
>
> I'm running the PF version on most of the production blades and my home
> machines now. It's a pretty good test because they usually accumulate
> ~20-30 different IPs a day or more. kronos has already locked out 9.
>
> -Matt
>
> On Tue, Jan 20, 2015 at 6:52 AM, bycn82 <bycn82 at gmail.com> wrote:
>
>> *I recommend to use this feature in ipfw is because delete ip using
>> crontab sounds not good for me.*
>>
>> *Regards,*
>> *Bill Yuan*
>>
>> On 19 January 2015 at 17:51, Michael Neumann <mneumann at ntecs.de> wrote:
>>
>>>
>>>
>>> Am 18.01.2015 um 12:31 schrieb bycn82:
>>>
>>>> /Hi,/
>>>> /
>>>> /
>>>> /I just implemented a feature which can work nicely with your
>>>> sshlockout. /
>>>> /You can manually insert a state as below and the state will be maintain
>>>> by ipfw itself./
>>>> /
>>>> /
>>>> /ipfw state add rulenum 100 udp 192.168.1.1:0 <http://192.168.1.1:0>
>>>> 8.8.8.8:53 <http://8.8.8.8:53> expiry +600/
>>>> /
>>>> /
>>>> /so you dont need to implement the logic to maintain the IP addresses or
>>>> configure any crontab to remove../
>>>>
>>>
>>> Cool!
>>>
>>> I think I will extend sshlockout so that it runs arbitrary commands.
>>>
>>> At the moment you run:
>>>
>>> sshlockout lockout
>>>
>>> which would then be equal to:
>>>
>>> sshlockout "pfctl -tlockout -Tadd %s"
>>>
>>> So it will works with ipfw:
>>>
>>> sshlockout "ipfw state add rulenum 100 udp 192.168.1.1:0 %s:53
>>> expiry +600"
>>>
>>> What do you think?
>>>
>>> Regards,
>>>
>>> Michael
>>>
>>>
>>> /
>>>> /
>>>> /different state can have different expiry or "life time"./
>>>> /
>>>> /
>>>> /any comment?/
>>>> /
>>>> /
>>>>
>>>> /Regards,/
>>>> /Bill Yuan/
>>>>
>>>> On 14 January 2015 at 02:25, Michael Neumann
>>>> <mneumann at crater.dragonflybsd.org
>>>> <mailto:mneumann at crater.dragonflybsd.org>> wrote:
>>>>
>>>>
>>>> commit ed17c1722f7702eb6422f73152c0091819a1900f
>>>> Author: Michael Neumann <mneumann at ntecs.de <mailto:
>>>> mneumann at ntecs.de>>
>>>> Date: Tue Jan 13 13:04:29 2015 +0100
>>>>
>>>> sshlockout - use a PF table instead of IPFW
>>>>
>>>> Summary of changes:
>>>> usr.sbin/sshlockout/sshlockout.8 | 27 +++++++++++-------
>>>> usr.sbin/sshlockout/sshlockout.c | 59
>>>> +++++++++++++++++++++++++++-------------
>>>> 2 files changed, 57 insertions(+), 29 deletions(-)
>>>>
>>>> http://gitweb.dragonflybsd.org/dragonfly.git/commitdiff/
>>>> ed17c1722f7702eb6422f73152c0091819a1900f
>>>>
>>>>
>>>> --
>>>> DragonFly BSD source repository
>>>>
>>>>
>>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.dragonflybsd.org/pipermail/users/attachments/20150121/677d1a4d/attachment-0002.html>
More information about the Users
mailing list