On Fri, May 04, 2018 at 11:56:33PM +0000, Kapfhammer, Stefan wrote: > > You might want to parse /var/log/authlog and the logrotated authlog.[0-9].gz > for successful and unsuccessful logins and then add the unsuccessful logins > with pfctl to a blocked table. To have it permanent after a reboot you can > write > with pfctl the blocked ip's to a file, which you re-read in a pf.conf ruleset. > > Like > table <bruteforce> persist file "/etc/pf.bruteforce" > block in quick proto tcp from <bruteforce> to any > > Stefan
This is *exactly* what sshguard does. I have an updated security/sshguard port (previously posted to the ports list) that understands our sshd's log output, but it has not yet been comitted. There is currently some kind of issue with it preventing it from starting at boot (but always starts with "rcctl start sshguard"). I haven't looked too deeply at that yet though. Regards, -- Andreas Kusalananda Kähäri, National Bioinformatics Infrastructure Sweden (NBIS), Uppsala University, Sweden.
