freebsd:pf
這是本文件的舊版!
設定 pf
/etc/pf.conf:
ext_if="em0" # 設定網卡
table <ssh_list> { 127.0.0.1 , 192.168.1.1 } # 填寫允許 ssh 登入的 IP 列表
table <block_list> { 211.180.219.200 , 60.248.76.6} # 不允許登入的 IP
set block-policy return
scrub in all
# Filtering: the implicit first two rules are
pass in all
pass out all
block in on $ext_if proto tcp from any to any port 1 >< 1023
block in quick on $ext_if proto tcp from any to any port = 139
block in quick on $ext_if proto tcp from any to any port = 445
block in quick on $ext_if proto udp from any to any port 137 >< 138
block in quick on $ext_if proto tcp from <block_list> to any
# 允許列表中的 IP 登入 ssh
pass in on $ext_if proto tcp from <ssh_list> to $ext_if port 22 keep state
# 允許所有 IP 連接網頁伺服器
pass in on $ext_if proto tcp from any to any port = 80
pass in on $ext_if proto tcp from any to any port = 443
啟動 pf
/etc/rc.conf:
pf_enable="YES" pflog_enable="YES"
# /etc/rc.d/pf start
SSH Brute Force Blocker with PF on FreeBSD
http://home.earthlink.net/~valiantsoul/pf.html
/etc/pf.conf 中增加
table <bruteforce> persist file "/var/db/blacklist" block quick from <bruteforce>
程式碼
#!/usr/bin/perl
use strict;
my @assholes = ();
open (IN, "/var/log/auth.log");
while (<IN>) {
if ($_ =~ /Invalid user.*from ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)/) {
push(@assholes, $1);
}
if ($_ =~ /Did not receive identification string from ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)/) {
push(@assholes, $1);
}
}
close (IN);
@assholes = sort {lc($a) cmp lc($b)} @assholes;
my @allowedIPs = ();
open (IN, "/var/db/allowed-ips");
while (<IN>) {
if ($_ =~ /[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+/) {
push(@allowedIPs, $_);
}
}
close (IN);
chop(@allowedIPs);
my $tmp = "";
foreach my $asshole (@assholes) {
if ($asshole eq $tmp) {
$asshole = "";
} else {
if ($asshole =~ /127\.0\.0\.1/) {
$asshole = "";
}
if ($asshole =~ /192\.168\.[0-9]+\.[0-9]+/) {
$asshole = "";
}
foreach my $allowedIP (@allowedIPs) {
if ($asshole =~ /$allowedIP/) {
$asshole = "";
}
}
$tmp = $asshole;
}
}
@assholes = sort {lc($b) cmp lc($a)} @assholes;
my $popCount = 0;
foreach my $asshole (reverse @assholes) {
if ($asshole eq "") {
$popCount++;
}
}
for (my $i = 0; $i < $popCount; $i++) {
pop (@assholes);
}
my $list = "";
foreach my $asshole (@assholes) {
$list = $list . $asshole . " ";
}
exec "/sbin/pfctl -t bruteforce -T add $list";
加入 Syslog 中 /etc/syslog.conf
auth.info;authpriv.info | exec /usr/bin/perl /sbin/bruteforcer.pl
例外之黑/白名單列表
touch /var/db/blacklist chmod 644 /var/db/blacklist touch /var/db/allowed-ips chmod 644 /var/db/allowed-ips
觀看已經紀錄的列表
pfctl -t bruteforce -T show
freebsd/pf.1257867328.txt.gz · 上一次變更: 2009/11/10 23:35 由 wenpei
若無特別註明,本 wiki 上的內容都是採用以下授權方式: CC Attribution-Noncommercial-Share Alike 3.0 Unported
