How about a distributed setup?
Has anyone thought of a way getting IPs from various servers (say linux
& fail2ban) to the central OpenBSD (pf) firewall?
Ideally with history in order to punish more the frequent abusers.
I had plans on looking to bgp to distribute the IPs around but maybe
there is already a better way doing this.
thanks and sorry for hijacking but I believe its quite relevant.
G
On 3/25/21 10:57 AM, Matthias Pressfreund wrote:
> You could try this: https://github.com/mpfr/pftbld
>
> It uses pf tables instead of anchors to achieve the same goal.
>
> Handling sshd abusers may be accomplished by first using pf source-tracking
> to catch them. For example:
>
> -----
> table <abusers_catch> persist
> block in quick from <abusers_catch>
> pass in on egress proto tcp to egress port ssh keep state ( \
> max-src-conn 50, max-src-conn-rate 5/180 \
> overload <abusers_catch> flush global \
> )
> ------
>
> After that, abusers may be fed to pftbld by a cron-controlled script.
> For example:
>
> ------
> #!/bin/ksh
> table='abusers_catch'
> pftblctl='/usr/local/sbin/pftblctl'
> sock='/var/run/pftbld-abuse.sock'
> pfctl -t ${table} -T show | while read -r ip; do
> [[ $(${pftblctl} -s ${sock} "${ip}") = 'ACK' ]] \
> && pfctl -q -t ${table} -T delete ${ip}
> done
> ------
>
> Handling httpd abusers is more simple and straightforward, as shown in the
> pftbld documentation.
>
>
>
> On 2021-03-24 19:33, jeanpierre wrote:
>> Does there exist an OpenBSD analogue for FreeBSD's blacklistd daemon?
>>
>> For the sake of completeness: blacklistd is a daemon that, using pf
>> anchors, blocks connections from abusive hosts to parctiular services
>> (e.g. sshd) until they start behaving themselves again.
>>
>> I find it very useful for timming down log files.
>>
>> Regards,
>> Jean-Pierre
>>
No comments:
Post a Comment