Sars' History

本頁是唯讀的，您可以看到原始碼，但不能更動它。您如果覺得它不應被鎖上，請詢問管理員。
====== 設定 pf ======
/etc/pf.conf：
<code>
ext_if="em0"    # 設定網卡

table <ssh_list> { 127.0.0.1 , 192.168.1.1 }    # 填寫允許 ssh 登入的 IP 列表
table <block_list> { 211.180.219.200 , 60.248.76.6}    # 不允許登入的 IP

set block-policy return
scrub in all

# Filtering: the implicit first two rules are
pass in all 
pass out all

block in on $ext_if proto tcp from any to any port 1 >< 1023
block in quick on $ext_if proto tcp from any to any port = 139 
block in quick on $ext_if proto tcp from any to any port = 445 
block in quick on $ext_if proto udp from any to any port 137 >< 138 
block in quick on $ext_if proto tcp from <block_list> to any

# 允許列表中的 IP 登入 ssh
pass  in  on $ext_if proto tcp from <ssh_list> to $ext_if port 22 keep state

# 允許所有 IP 連接網頁伺服器
pass  in on $ext_if proto tcp from any to any port = 80
pass  in on $ext_if proto tcp from any to any port = 443
</code>

====== 啟動 pf ======
/etc/rc.conf：
  pf_enable="YES"
  pflog_enable="YES"

  # /etc/rc.d/pf start

====== SSH Brute Force Blocker with PF on FreeBSD ======
http://home.earthlink.net/~valiantsoul/pf.html

/etc/pf.conf 中增加
  table <bruteforce> persist file "/var/db/blacklist"
  block quick from <bruteforce>

程式碼
<code>
#!/usr/bin/perl

use strict;

my @assholes = ();

open (IN, "/var/log/auth.log");
while (<IN>) {
        if ($_ =~ /Invalid user.*from ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)/) {
                push(@assholes, $1);
        }
        if ($_ =~ /Did not receive identification string from ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)/) {
                push(@assholes, $1);
        }
}
close (IN);

@assholes = sort {lc($a) cmp lc($b)} @assholes;

my @allowedIPs = ();
open (IN, "/var/db/allowed-ips");
while (<IN>) {
        if ($_ =~ /[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+/) {
                push(@allowedIPs, $_);
        }
}
close (IN);

chop(@allowedIPs);

my $tmp = "";
foreach my $asshole (@assholes) {
        if ($asshole eq $tmp) {
                $asshole = "";
        } else {
                if ($asshole =~ /127\.0\.0\.1/) {
                        $asshole = "";
                }
                if ($asshole =~ /192\.168\.[0-9]+\.[0-9]+/) {
                        $asshole = "";
                }
                foreach my $allowedIP (@allowedIPs) {
                        if ($asshole =~ /$allowedIP/) {
                                $asshole = "";
                        }
                }
                $tmp = $asshole;
        }
}

@assholes = sort {lc($b) cmp lc($a)} @assholes;

my $popCount = 0;
foreach my $asshole (reverse @assholes) {
        if ($asshole eq "") {
                $popCount++;
        }
}

for (my $i = 0; $i < $popCount; $i++) {
        pop (@assholes);
}

my $list = "";
foreach my $asshole (@assholes) {
        $list = $list . $asshole . " ";
}

exec "/sbin/pfctl -t bruteforce -T add $list";
</code>

加入 Syslog 中
/etc/syslog.conf
  auth.info;authpriv.info          | exec /usr/bin/perl /sbin/bruteforcer.pl

例外之黑/白名單列表
<code>
touch /var/db/blacklist
chmod 644 /var/db/blacklist
touch /var/db/allowed-ips
chmod 644 /var/db/allowed-ips
</code>

觀看已經紀錄的列表
  pfctl -t bruteforce -T show

====== Denyhosts ======
Reference: http://blog.wu-boy.com/2008/12/26/663/
Sars' History

使用者工具

網站工具

頁面工具
