Ok. I'm slow enough writing that others have started to answer also... Vikas N Kumar wrote: > ... I have set maximum number > of tries to just 2, I would like to be able to note down the IP address > (after say 10 unsuccessful login attempts) from where the attacks are coming > in and then dynamically add them to hosts.deny for the next few days or > permanently...
Working with hosts.deny is not a pf feature, but it might be glued together. Curt Micol wrote: > I think this is what you want: > http://home.nuug.no/~peter/pf/en/bruteforce.html As Curt just answered, PF tables are an option. See also http://www.openbsd.org/cgi-bin/man.cgi?query=pf.conf I am getting good mileage out of "The Book of PF", and tables are covered there pp 67-71 and pp 31-32. Maybe using PF's tables is enough for you. There are at least four pieces that might be useful if you really want a script to add to hosts.deny. 1) pf.conf 2) pfctl 3) sshd_config 4) /var/log/authlog Henri Salo wrote: > There was a topic in a misc 2008-04-16 with subject "PF ssh bruteforce > logging and blocking". You should read it. Basically, you can have the blocked addresses exported from the PF table. From there they can be imported via a script into hosts.deny or anywhere else you might want. The tool for that is pfctl with the "-t" and "-T show" options: http://www.openbsd.org/cgi-bin/man.cgi?query=pfctl However, PF only logs the connections attempts. The sshd_config keyword "MaxAuthTries" will specifically log failed attempts to log in, per connection, if they exceed 1/2 the maximum number of tries for that connection. http://www.openbsd.org/cgi-bin/man.cgi?query=sshd_config However, if each attempt is on a new connection, then that's not necessarily a help for you. The failed attempts will also show up in /var/log/authlog, regardless. e.g. Apr 16 17:13:27 +gateway sshd[12708]: Failed password for root from 218.106.52.91 port 58224 ssh2 And that can be parsed for addresses. Regards, -Lars
