Re: machine hangs on occasion - correlated with ssh break-in attempts



I do something related to this with fwlogwatch although it can probably
be adapted to any similar tool; when I hit the 'block' threshold, I
execute something like:

#!/bin/sh
HR=`date "+%-k"`
/sbin/ipfw table 0 add $3 ${HR}

.. so each entry has a tag indicating the hour at which the block was
initiated.

At 5 to the hour, I run a simple cron job which does this to clean out
everything older than 24 hours ..

#!/bin/sh
HR=`date -v+1H "+%-k"`
/sbin/ipfw table 0 list >/tmp/xx.$$
cat /tmp/xx.$$ |
while read LINE
do
set $LINE
case "$2" in
${HR})
/sbin/ipfw table 0 delete $1
echo -n `date +"%H:%M:%S"` >>/var/log/fwlw_clean_log
echo " fwlw_clean: removed $1 from table 0"
/var/log/fwlw_clean_log
esac
done
rm /tmp/xx.$$

I also have a script in /usr/local/etc/rc.d which saves the current
state in the event of an orderly shutdown and restores it on boot:

#!/bin/sh
case "$1" in
start)
cat /var/db/ipfw/cache0 | while read LINE
do
set $LINE
/sbin/ipfw table 0 add $1 $2
done
;;
stop)
/sbin/ipfw table 0 list >/var/db/ipfw/cache0
;;
restart)
$0 $DEBUG stop
$0 $DEBUG start
exit $?
;;
*)
echo "Usage: $0 {start|stop|restart}"
exit 1
;;
esac
exit 0

Of course, this only works for ipv4 because of the restriction on the
ipfw table data but it's just an example,

Michael

_______________________________________________
freebsd-security@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@xxxxxxxxxxx"



Relevant Pages

  • Re: machine hangs on occasion - correlated with ssh break-in attempts
    ... be adapted to any similar tool; when I hit the 'block' threshold, ... execute something like: ... $0 $DEBUG start ...
    (freebsd-stable)
  • [Full-Disclosure] Advanced usage of system() function.
    ... and call its arguments as a command for shell. ... as we can see we still didnt get what we want (typing exit ... Connection closed by foreign host. ... think what we want to execute. ...
    (Full-Disclosure)
  • Advanced usage of system() function.
    ... and call its arguments as a command for shell. ... as we can see we still didnt get what we want (typing exit we are ... Connection closed by foreign host. ... think what we want to execute. ...
    (Bugtraq)
  • Re: [opensuse] dns-masq
    ... # or disable DNS configuration updates via netconfig by setting: ... the netconfig settings are same with settings in this ... debug "Use NetworkManager policy merged settings" ...
    (SuSE)
  • Re: should these be fixed for python 2.4?
    ... > stdout and stderr as strings and the exit status. ... but either you use disk files or it's more work. ... I imagine is due to limitations of pipes' ... You're trying to execute the whole ...
    (comp.lang.python)