====== 設定 pf ======
/etc/pf.conf:
ext_if="em0" # 設定網卡
table { 127.0.0.1 , 192.168.1.1 } # 填寫允許 ssh 登入的 IP 列表
table { 211.180.219.200 , 60.248.76.6} # 不允許登入的 IP
set block-policy return
scrub in all
# Filtering: the implicit first two rules are
pass in all
pass out all
block in on $ext_if proto tcp from any to any port 1 >< 1023
block in quick on $ext_if proto tcp from any to any port = 139
block in quick on $ext_if proto tcp from any to any port = 445
block in quick on $ext_if proto udp from any to any port 137 >< 138
block in quick on $ext_if proto tcp from to any
# 允許列表中的 IP 登入 ssh
pass in on $ext_if proto tcp from to $ext_if port 22 keep state
# 允許所有 IP 連接網頁伺服器
pass in on $ext_if proto tcp from any to any port = 80
pass in on $ext_if proto tcp from any to any port = 443
====== 啟動 pf ======
/etc/rc.conf:
pf_enable="YES"
pflog_enable="YES"
# /etc/rc.d/pf start
====== SSH Brute Force Blocker with PF on FreeBSD ======
http://home.earthlink.net/~valiantsoul/pf.html
/etc/pf.conf 中增加
table persist file "/var/db/blacklist"
block quick from
程式碼
#!/usr/bin/perl
use strict;
my @assholes = ();
open (IN, "/var/log/auth.log");
while () {
if ($_ =~ /Invalid user.*from ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)/) {
push(@assholes, $1);
}
if ($_ =~ /Did not receive identification string from ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)/) {
push(@assholes, $1);
}
}
close (IN);
@assholes = sort {lc($a) cmp lc($b)} @assholes;
my @allowedIPs = ();
open (IN, "/var/db/allowed-ips");
while () {
if ($_ =~ /[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+/) {
push(@allowedIPs, $_);
}
}
close (IN);
chop(@allowedIPs);
my $tmp = "";
foreach my $asshole (@assholes) {
if ($asshole eq $tmp) {
$asshole = "";
} else {
if ($asshole =~ /127\.0\.0\.1/) {
$asshole = "";
}
if ($asshole =~ /192\.168\.[0-9]+\.[0-9]+/) {
$asshole = "";
}
foreach my $allowedIP (@allowedIPs) {
if ($asshole =~ /$allowedIP/) {
$asshole = "";
}
}
$tmp = $asshole;
}
}
@assholes = sort {lc($b) cmp lc($a)} @assholes;
my $popCount = 0;
foreach my $asshole (reverse @assholes) {
if ($asshole eq "") {
$popCount++;
}
}
for (my $i = 0; $i < $popCount; $i++) {
pop (@assholes);
}
my $list = "";
foreach my $asshole (@assholes) {
$list = $list . $asshole . " ";
}
exec "/sbin/pfctl -t bruteforce -T add $list";
加入 Syslog 中
/etc/syslog.conf
auth.info;authpriv.info | exec /usr/bin/perl /sbin/bruteforcer.pl
例外之黑/白名單列表
touch /var/db/blacklist
chmod 644 /var/db/blacklist
touch /var/db/allowed-ips
chmod 644 /var/db/allowed-ips
觀看已經紀錄的列表
pfctl -t bruteforce -T show
====== Denyhosts ======
Reference: http://blog.wu-boy.com/2008/12/26/663/