Re: machine hangs on occasion - correlated with ssh break-in attempts



I do something related to this with fwlogwatch although it can probably
be adapted to any similar tool; when I hit the 'block' threshold, I
execute something like:

#!/bin/sh
HR=`date "+%-k"`
/sbin/ipfw table 0 add $3 ${HR}

.. so each entry has a tag indicating the hour at which the block was
initiated.

At 5 to the hour, I run a simple cron job which does this to clean out
everything older than 24 hours ..

#!/bin/sh
HR=`date -v+1H "+%-k"`
/sbin/ipfw table 0 list >/tmp/xx.$$
cat /tmp/xx.$$ |
while read LINE
do
set $LINE
case "$2" in
${HR})
/sbin/ipfw table 0 delete $1
echo -n `date +"%H:%M:%S"` >>/var/log/fwlw_clean_log
echo " fwlw_clean: removed $1 from table 0"
/var/log/fwlw_clean_log
esac
done
rm /tmp/xx.$$

I also have a script in /usr/local/etc/rc.d which saves the current
state in the event of an orderly shutdown and restores it on boot:

#!/bin/sh
case "$1" in
start)
cat /var/db/ipfw/cache0 | while read LINE
do
set $LINE
/sbin/ipfw table 0 add $1 $2
done
;;
stop)
/sbin/ipfw table 0 list >/var/db/ipfw/cache0
;;
restart)
$0 $DEBUG stop
$0 $DEBUG start
exit $?
;;
*)
echo "Usage: $0 {start|stop|restart}"
exit 1
;;
esac
exit 0

Of course, this only works for ipv4 because of the restriction on the
ipfw table data but it's just an example,

Michael

_______________________________________________
freebsd-security@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@xxxxxxxxxxx"