current-users: Re: Autoblocking sites after ssh probes

Subject: Re: Autoblocking sites after ssh probes
To: Martin Husemann <current-users@NetBSD.org, martin@duskware.de>
From: Hubert Feyrer <hubertf@gmx.de>
List: current-users
Date: 02/03/2005 01:46:27

In article <20050127222942.GA12893@drowsy.duskware.de> you wrote:
> Now, here is the question: does anyone know of a tool to automagically recognize
> this sequence of logs that temporarily adds the coresponding block rules to 
> ipf and expires them after, say, 24 hours?

I don't know any ready-made software, but I guess snort could be used to 
detect the login attempts, and you could then load these lines dynamically 
into "ipf -f -", and remove the same lines with loading them to "ipf -r -f 
-" (both from stdin). See [1] for a bit of (german language) documentation 
on dynamic IPF config. 

Implementation of timeouts may be possible via at(1) or some other 
facility.


 - Hubert

[1] http://smaug.fh-regensburg.de/~feyrer/vulab/hubertf/firewall

-- 
  ___ _ _  _   _        * Harddisk Image Cloning * 
 / __| | || | | |           www.feyrer.de/g4u/
| (_ |_  _| |_| |         
 \___| |_| \___/          Version 2.0 out now!