> We're straying from the original problem, but have you considered sshguard?
No. I initially looked for something like fail2ban, but after some
working with it on ubuntu and regular problems with its sqlite
database I decided to just try something primitive and clear.
All I have to do is to change the oneliner to give me the right ip addresses.
If I want to do something special with these addresses I only have to
change my script.sh file.
I am just testing all this and may be missing something critical but
the results look good for me.
On Mon Aug 26 11:06:12 2024, Zé Loff wrote:
> On Mon, Aug 26, 2024 at 11:27:02AM +0300, Maksim Rodin wrote:
> > Hello,
> > Here is my ugly script in testing which uses a postgres table to track bad guys in
> > authlog and pf to lock them forever.
> > ---
> > #! /bin/ksh
> > MAX_RETRIES=2
> > function finish_serving {
> > echo "Finish serving";
> > exit 0;
> > }
> > function add_entry {
> > psql -U ecounter -d ecounter_db -q -c "merge into entry_counter \
> > as ec using (select '$1' as e) on ec.entry = \
> > e when matched and ec.count < $MAX_RETRIES then \
> > update set count = count + 1 when not matched then \
> > insert (entry, count) values ('$1', 1);";
> > RESULT=$(psql -U ecounter -d ecounter_db -t -c "select entry from \
> > entry_counter where entry = '$1' and count >= $MAX_RETRIES;");
> > if [[ -n $RESULT ]]; then
> > echo "pfctl add to table $RESULT";
> > /sbin/pfctl -vvt bad_ips -T add $RESULT;
> > /sbin/pfctl -vvk $RESULT;
> > NET=$(echo $RESULT | awk -F. '{print $1 "." $2 ".0.0/16"}');
> > echo "pfctl add to table $NET";
> > /sbin/pfctl -vvt bad_ips -T add $NET;
> > /sbin/pfctl -vvk $NET;
> > RESULT="";
> > NET="";
> > fi
> > }
> > trap finish_serving SIGINT
> > echo Start serving...
> > while read line;
> > do add_entry $line;
> > done
> > ---
> >
> > And an ugly oneliner to make it do the job in real time:
> > ---
> > tail -fn0 /var/log/authlog | grep -E \
> > --line-buffered 'Failed password' | grep -Eo \
> > --line-buffered '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}'\
> > | ksh script.sh
> > ---
> >
> > On Sat Aug 24 00:38:11 2024, Joel Carnat wrote:
> > >
> > > >
> > > > Le 23 août 2024 à 17:12, Peter N. M. Hansteen <peter@bsdly.net> a écrit :
> > > >
> > > > On Fri, Aug 23, 2024 at 12:54:20PM +0200, Joel Carnat wrote:
> > > >> I have a server which gets flooded with unsolicited HTTP requests. So far, I use relayd filters to identify those requests and block them, at relayd level. It works as they never reach the web server but relayd is still working to block them.
> > > >>
> > > >> I thought of parsing relayd logs to get those IPs and add them to a pf block table, using an automated script.
> > > >
> > > > If the problem is that there are a lot of requests from the same hosts coming in rapid-fire, it is
> > > > possible that state tracking rules with overloading could be the thing to try.
> > > >
> > > > The other thing that comes to mind is to put together something that parses the logs
> > > > and adds offenders to a table of addresses that PF will block.
> > > >
> > > > Something along the lines of what is described in https://nxdomain.no/~peter/forcing_the_password_gropers_through_a_smaller_hole.html
> > > > (also prettified but tracked at https://bsdly.blogspot.com/2017/04/forcing-password-gropers-through.html)
> > > > could be what you need (some assembly required, obviously).
> > > >
> > > > - Peter
> > >
> > > Unfortunately, those are not single IP spamming. It looks more like infected computers and/or computer farms sending individual requests at "normal" rate. There are just thousands of them.
> > >
> > > The only way to identify them is by looking at User-Agent and/ou HTTP requests body. So pf only won't be enough there.
> > >
> > > I thought I could use some matching relayd rules that would tag the connections so that pf blocks them. But it seems pftag is not made for this.
> > >
> > > Writing a script and feed it using syslog is doable. But I hoped I could use only relayd and pf.
> >
> > --
> > Best regards
> > Maksim Rodin
> >
> > С уважением,
> > Родин Максим
> >
>
> We're straying from the original problem, but have you considered sshguard?
>
>
> --
>
--
Best regards
Maksim Rodin
No comments:
Post a Comment