Cool! On Sat, May 5, 2018 at 3:17 AM Andreas Kusalananda Kähäri < andreas.kah...@icm.uu.se> wrote:
> On Fri, May 04, 2018 at 11:56:33PM +0000, Kapfhammer, Stefan wrote: > > > > You might want to parse /var/log/authlog and the logrotated > authlog.[0-9].gz > > for successful and unsuccessful logins and then add the unsuccessful > logins > > with pfctl to a blocked table. To have it permanent after a reboot you > can write > > with pfctl the blocked ip's to a file, which you re-read in a pf.conf > ruleset. > > > > Like > > table <bruteforce> persist file "/etc/pf.bruteforce" > > block in quick proto tcp from <bruteforce> to any > > > > Stefan > > This is *exactly* what sshguard does. I have an updated > security/sshguard port (previously posted to the ports list) that > understands our sshd's log output, but it has not yet been comitted. > There is currently some kind of issue with it preventing it from > starting at boot (but always starts with "rcctl start sshguard"). I > haven't looked too deeply at that yet though. > > Regards, > > > -- > Andreas Kusalananda Kähäri, > National Bioinformatics Infrastructure Sweden (NBIS), > Uppsala University, Sweden. >
