Being dissatisfied with the various brute-force attach blockers I decided to write one myself. Unlike other blocker programs, this one doesn't need external help to keep the state of attempted breakin attempts. No file, no databases, no shared memory. It simply relies on IPFW2's table functionality: The trick is that we usually want to block IP addresses just after very few attempts (typically 3). So we can simply use a single IPFW2 table for each number of attempts, and record the time of the attempt in the table entry tag field. For each attempt we promote the IP entry from table (n) to table (n+1), until it reaches the table that does the actual blocking.
Of course this only works for IPFW2 (but conversion to PF is straightforward).
To use this program, place a line into /etc/syslog.conf as follows:
auth.info;authpriv.info |exec /path/to/ipfwblock --options
The process will fork itself into the background. The child process will stay resident and is responsible for cleaning out old entries. The foreground process will receive data from syslogd and enter new IP addresses into the IPFW2 tables as appropriate. Note that it is safe if the foreground process dies away (for instance, when syslogd receives a HUP signal as a result of logfile rotation). A fresh foreground process will be started by syslogd when appropriate. Also, a fresh daemon will be started if the background process has dies away for whatever reason.
Options are as follows:
With this default setting, we will use IPFW2 tables 0, 1, and 2, where table 2 is the "hot" table responsible for the actual blocking. Be aware to set up your IPFW2 rules accordingly, e.g.
deny ip from table(2) to any
As usual, there's a downside: This is hard-core perl. Zero documentation apart from the source.
Just drop me a mail if you have suggestions.
automagically generated for 38.103.63.18 at 22 May 2008 21:59:09 CEST
last modified by myself at 12 Nov 2007 12:32:52 CET
accessed 801 times since 26 Nov 2006 22:07:21 CET
validated HTML 4.01