git: sshlockout - use a PF table instead of IPFW

bycn82 bycn82 at gmail.com
Wed Jan 21 05:10:45 PST 2015


*the IP address will be blocked from creating new SSH connection for 10
minutes  if IP failed to login for 3 times within 5 minutes.*

*I think, it should be the requirement.*

*I used to resolve this with a very simple perl script, I named that script
"stack.pl <http://stack.pl>",  tail and other command can print the IP
address from the log file, and the IP address will pipe into the stack.pl
<http://stack.pl>*

*the stack.pl <http://stack.pl> will check/maintains the mapping of
TIME=>IP, and call command to block the IP, and at that time, I use cronjob
to remove the IP from iptables*






*Regards,*
*Bill Yuan*

On 21 January 2015 at 15:23, Matthew Dillon <dillon at backplane.com> wrote:

> It would be a bad idea to allow arbitrary commands to be executed.  That
> opens up a whole slew of possible breakages and security issues.  I don't
> mind there being options to add specifically to IPFW or PF (as long as PF
> is the default), and I don't mind there being an option to be able to
> specify the IPFW rule when in IPFW mode.  But we should not get too fancy.
>
> I'm running the PF version on most of the production blades and my home
> machines now.  It's a pretty good test because they usually accumulate
> ~20-30 different IPs a day or more.  kronos has already locked out 9.
>
> -Matt
>
> On Tue, Jan 20, 2015 at 6:52 AM, bycn82 <bycn82 at gmail.com> wrote:
>
>> ​*I recommend to use this feature in ipfw is because delete ip using
>> crontab sounds not good for me.*​
>>
>> *Regards,*
>> *Bill Yuan*
>>
>> On 19 January 2015 at 17:51, Michael Neumann <mneumann at ntecs.de> wrote:
>>
>>>
>>>
>>> Am 18.01.2015 um 12:31 schrieb bycn82:
>>>
>>>> /Hi,/
>>>> /
>>>> /
>>>> /I just implemented a feature which can work nicely with your
>>>> sshlockout. /
>>>> /You can manually insert a state as below and the state will be maintain
>>>> by ipfw itself./
>>>> /
>>>> /
>>>> /ipfw state add rulenum 100 udp 192.168.1.1:0 <http://192.168.1.1:0>
>>>> 8.8.8.8:53 <http://8.8.8.8:53> expiry +600/
>>>> /
>>>> /
>>>> /so you dont need to implement the logic to maintain the IP addresses or
>>>> configure any crontab to remove../
>>>>
>>>
>>> Cool!
>>>
>>> I think I will extend sshlockout so that it runs arbitrary commands.
>>>
>>> At the moment you run:
>>>
>>>     sshlockout lockout
>>>
>>> which would then be equal to:
>>>
>>>     sshlockout "pfctl -tlockout -Tadd %s"
>>>
>>> So it will works with ipfw:
>>>
>>>     sshlockout "ipfw state add rulenum 100 udp 192.168.1.1:0 %s:53
>>> expiry +600"
>>>
>>> What do you think?
>>>
>>> Regards,
>>>
>>>   Michael
>>>
>>>
>>>  /
>>>> /
>>>> /different state can have different expiry or "life time"./
>>>> /
>>>> /
>>>> /any comment?/
>>>> /
>>>> /
>>>>
>>>> /Regards,/
>>>> /Bill Yuan/
>>>>
>>>> On 14 January 2015 at 02:25, Michael Neumann
>>>> <mneumann at crater.dragonflybsd.org
>>>> <mailto:mneumann at crater.dragonflybsd.org>> wrote:
>>>>
>>>>
>>>>     commit ed17c1722f7702eb6422f73152c0091819a1900f
>>>>     Author: Michael Neumann <mneumann at ntecs.de <mailto:
>>>> mneumann at ntecs.de>>
>>>>     Date:   Tue Jan 13 13:04:29 2015 +0100
>>>>
>>>>          sshlockout - use a PF table instead of IPFW
>>>>
>>>>     Summary of changes:
>>>>       usr.sbin/sshlockout/sshlockout.8 | 27 +++++++++++-------
>>>>       usr.sbin/sshlockout/sshlockout.c | 59
>>>>     +++++++++++++++++++++++++++-------------
>>>>       2 files changed, 57 insertions(+), 29 deletions(-)
>>>>
>>>>     http://gitweb.dragonflybsd.org/dragonfly.git/commitdiff/
>>>> ed17c1722f7702eb6422f73152c0091819a1900f
>>>>
>>>>
>>>>     --
>>>>     DragonFly BSD source repository
>>>>
>>>>
>>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.dragonflybsd.org/pipermail/users/attachments/20150121/677d1a4d/attachment-0003.htm>


More information about the Users mailing list