I use an "intruder" table within pf
table <intruders> file "/etc/pf.intruders"
Then in pf rules:
block drop in log-all from <intruders> to any
Then I run this script out of cron on a periodic basis (remove the echo
statements for cron use - I like to run it manually, too)
#!/usr/local/bin/bash
# This counts the number of failed login attempts from every ip address
in /var/log/authlog
echo
echo
echo "The following is a list of failed login attempts:"
echo
echo " # Tries IP Address"
echo
cat /var/log/authlog | grep Failed | awk '{print $13"\t"$14}' | grep
port | awk '{print $1}' | uniq -c | sort | awk '{print "\t"$1"\t"$2}' >
/etc/pf.intruders.tmp
cat /etc/pf.intruders.tmp
#set the following number to set tolerance level - currently set to 20
cat /etc/pf.intruders.tmp | awk '{if ($1 >= 20) print $2}' >>
/etc/pf.intruders
#The following addresses have tried to log in as root
echo
echo "The following is a list of failed root login attempts:"
echo
echo " # Tries IP Address"
echo
cat /var/log/authlog | grep root | grep -i fail | awk '{print $11}'|
uniq -c | sort | awk '{print "\t"$1"\t"$2}' > /etc/pf.intruders.tmp
cat /etc/pf.intruders.tmp
cat /etc/pf.intruders.tmp | awk '{print $2}' >> /etc/pf.intruders
# The following addresses have successfully logged in as root - this
should NEVER contain any entries
echo
echo "The following is a list of successful root logins:"
echo
echo " # Tries IP Address"
echo
cat /var/log/authlog | grep root | grep -v -i fail | grep -v su | awk
'{print $11}'| uniq -c | sort | awk '{print "\t"$1"\t"$2}'
# insure only unique addresses and keep out my addresses (W.X.Y.Z) from
the restricted log
cat /etc/pf.intruders | grep -v W.X.Y.Z | sort -u > /etc/pf.intruders.tmp
cp /etc/pf.intruders.tmp /etc/pf.intruders
rm /etc/pf.intruders.tmp
#replace the intruders table with the updated table
pfctl -t intruders -T replace -f /etc/pf.intruders
echo -n "Hack Check last ran at: " >> /var/log/hackchklog
date >> /var/log/hackchklog
echo
echo "Addresses with more than 20 login attempts or any attempt to login
as root have been copied to /etc/pf.intruders"
cat /var/log/hackchklog
echo
I also like to check out IP address that product the greatest number of
packets that have been blocked & logged
echo "IP Addresses of Blocked Packets "
tcpdump -n -e -ttt -r /var/log/pflog | awk '{print $1" "$2" "$3" "$10}'
| awk '{print $4}' | awk '{ FS = "."; print $1"."$2"."$3"."$4}' | sort |
uniq -c | sort
John Marten wrote:
You know what i mean? Every day I get some script kiddie, or adult
trying to guess usernames or passwords.
I've installed the newest version of SSH, so i'm covered there. But I
still get a dozen or 2 of the
"sshd Invalid user somename from ###.##.##.###"
"input_userauth_request: ivalid user somename"
"Failed password for invalid user somename"
"Recieved disconnect from ###.##.##.###"
Someone told me to add a 'block in quick on $net inet proto {tcp,udp}
from ###.##.##.### to any flags S/SA'
entry in my pf.conf file. But if I had do that for every hacker my
pf.conf would be huge!
There's got to be a better way, and I'm open to suggestions.
John F. Marten III
Information Technology Specialist
