You could try this: https://github.com/mpfr/pftbld
It uses pf tables instead of anchors to achieve the same goal.
Handling sshd abusers may be accomplished by first using pf source-tracking
to catch them. For example:
-----
table <abusers_catch> persist
block in quick from <abusers_catch>
pass in on egress proto tcp to egress port ssh keep state ( \
max-src-conn 50, max-src-conn-rate 5/180 \
overload <abusers_catch> flush global \
)
------
After that, abusers may be fed to pftbld by a cron-controlled script.
For example:
------
#!/bin/ksh
table='abusers_catch'
pftblctl='/usr/local/sbin/pftblctl'
sock='/var/run/pftbld-abuse.sock'
pfctl -t ${table} -T show | while read -r ip; do
[[ $(${pftblctl} -s ${sock} "${ip}") = 'ACK' ]] \
&& pfctl -q -t ${table} -T delete ${ip}
done
------
Handling httpd abusers is more simple and straightforward, as shown in the
pftbld documentation.
On 2021-03-24 19:33, jeanpierre wrote:
> Does there exist an OpenBSD analogue for FreeBSD's blacklistd daemon?
>
> For the sake of completeness: blacklistd is a daemon that, using pf
> anchors, blocks connections from abusive hosts to parctiular services
> (e.g. sshd) until they start behaving themselves again.
>
> I find it very useful for timming down log files.
>
> Regards,
> Jean-Pierre
>
