hi
you can do this with ossec.net
holger
Am 25.03.21 um 18:00 schrieb Kapetanakis Giannis:
> How about a distributed setup?
>
> Has anyone thought of a way getting IPs from various servers (say
> linux & fail2ban) to the central OpenBSD (pf) firewall?
>
> Ideally with history in order to punish more the frequent abusers.
>
> I had plans on looking to bgp to distribute the IPs around but maybe
> there is already a better way doing this.
>
> thanks and sorry for hijacking but I believe its quite relevant.
>
> G
>
> On 3/25/21 10:57 AM, Matthias Pressfreund wrote:
>> You could try this: https://github.com/mpfr/pftbld
>>
>> It uses pf tables instead of anchors to achieve the same goal.
>>
>> Handling sshd abusers may be accomplished by first using pf
>> source-tracking
>> to catch them. For example:
>>
>> -----
>> table <abusers_catch> persist
>> block in quick from <abusers_catch>
>> pass in on egress proto tcp to egress port ssh keep state ( \
>> max-src-conn 50, max-src-conn-rate 5/180 \
>> overload <abusers_catch> flush global \
>> )
>> ------
>>
>> After that, abusers may be fed to pftbld by a cron-controlled script.
>> For example:
>>
>> ------
>> #!/bin/ksh
>> table='abusers_catch'
>> pftblctl='/usr/local/sbin/pftblctl'
>> sock='/var/run/pftbld-abuse.sock'
>> pfctl -t ${table} -T show | while read -r ip; do
>> [[ $(${pftblctl} -s ${sock} "${ip}") = 'ACK' ]] \
>> && pfctl -q -t ${table} -T delete ${ip}
>> done
>> ------
>>
>> Handling httpd abusers is more simple and straightforward, as shown
>> in the
>> pftbld documentation.
>>
>>
>>
>> On 2021-03-24 19:33, jeanpierre wrote:
>>> Does there exist an OpenBSD analogue for FreeBSD's blacklistd daemon?
>>>
>>> For the sake of completeness: blacklistd is a daemon that, using pf
>>> anchors, blocks connections from abusive hosts to parctiular services
>>> (e.g. sshd) until they start behaving themselves again.
>>>
>>> I find it very useful for timming down log files.
>>>
>>> Regards,
>>> Jean-Pierre
>>>
>
No comments:
Post a Comment