I wrote a small bash script that parses my /var/log/auth.log, creates an array of IP addresses that have "exceeded maximum authentication attempts", cross references those to
, I have noticed my logs filling up with low volume attacks spaced out to not trip the overflow line.
I have two questions...
#1. How do I have this script inject messages into /var/log/messages to let me know what addresses it has added?
#2. Regardless of how many ways I try, I cannot get this script to redirect the output from
This is the bit of code:
Any ideas why this isn't working?
pfctl -t bruteforce -T show
and adds any new addresses in the log file to the bruteforce persist file... I've done this because I've noticed that since I added the persist file and overflow line recommended at https://www.freebsd.org/doc/handbook/firewalls-pf.html which looks like this:
Code:
pass in log quick on $ext_if inet proto tcp from any \
to { $ext_ip, $localnet } port 22 \
flags S/SA keep state \
(max-src-conn 5, max-src-conn-rate 3/9, \
overload <bruteforce> flush global)
I have two questions...
#1. How do I have this script inject messages into /var/log/messages to let me know what addresses it has added?
#2. Regardless of how many ways I try, I cannot get this script to redirect the output from
pfctl
to /dev/null. I always see the output on the screen stating 1/1 addresses were added. This is the bit of code:
Code:
for (( c=0; c<${#NewIP[@]}; c++ )); do
pfctl -t $OverflowFile -T add ${NewIP[$c]} &>/dev/null
done
Any ideas why this isn't working?