Fail2ban scans log files like /var/log/pwdfail or /var/log/apache/error_log and bans IP that makes too many password failures. It updates firewall rules to reject the IP address.
Bruteblock allows system administrators to block various bruteforce attacks on UNIX services. The program analyzes system logs and adds attacker's IP address into ipfw2 table effectively blocking them. Addresses are automatically removed from the table after specified abound of time.
I was well aware what the OP asked for.EdGe said:The OP asks how to block attacks to the game servers port.
Neither is going to work in this case because neither can read the game server's logs. Both tools only respond when they detect a certain line in the log file that indicates a failed login attempt.Question to the audience, to do this, how about security/py-fail2ban or security/bruteblock
IPF="ipfw -q add"
ipfw -q -f flush
#P2P FiXX
$IPF 4 allow all from 94.102.0.120 to any 12001
$IPF 5 allow all from 127.0.0.0/8 to any 12001
$IPF 6 deny all from any to me 12001
$IPF 7 allow all from 94.102.0.120 to any 14000
$IPF 8 allow all from 127.0.0.0/8 to any 14000
$IPF 9 deny all from any to me 14000
$IPF 10 allow all from 94.102.0.120 to any 14001
$IPF 11 allow all from 127.0.0.0/8 to any 14001
$IPF 12 deny all from any to me 14001
$IPF 13 allow all from 94.102.0.120 to any 14002
$IPF 14 allow all from 127.0.0.0/8 to any 14002
$IPF 15 deny all from any to me 14002
$IPF 16 allow all from 94.102.0.120 to any 14003
$IPF 17 allow all from 127.0.0.0/8 to any 14003
$IPF 18 deny all from any to me 14003
$IPF 19 allow all from 94.102.0.120 to any 14004
$IPF 20 allow all from 127.0.0.0/8 to any 14004
$IPF 21 deny all from any to me 14004
$IPF 22 allow all from 94.102.0.120 to any 14061
$IPF 23 allow all from 127.0.0.0/8 to any 14061
$IPF 24 deny all from any to me 14061
$IPF 25 allow all from 94.102.0.120 to any 14099
$IPF 26 allow all from 127.0.0.0/8 to any 14099
$IPF 27 deny all from any to me 14099
$IPF 28 allow all from 94.102.0.120 to any 17000
$IPF 29 allow all from 127.0.0.0/8 to any 17000
$IPF 30 deny all from any to me 17000
$IPF 31 allow all from 94.102.0.120 to any 17001
$IPF 32 allow all from 127.0.0.0/8 to any 17001
$IPF 33 deny all from any to me 17001
$IPF 34 allow all from 94.102.0.120 to any 17002
$IPF 35 allow all from 127.0.0.0/8 to any 17002
$IPF 36 deny all from any to me 17002
$IPF 37 allow all from 94.102.0.120 to any 17003
$IPF 38 allow all from 127.0.0.0/8 to any 17003
$IPF 39 deny all from any to me 17003
$IPF 40 allow all from 94.102.0.120 to any 17004
$IPF 41 allow all from 127.0.0.0/8 to any 17004
$IPF 42 deny all from any to me 17004
$IPF 43 allow all from 94.102.0.120 to any 17061
$IPF 44 allow all from 127.0.0.0/8 to any 17061
$IPF 45 deny all from any to me 17061
$IPF 46 allow all from 94.102.0.120 to any 17099
$IPF 47 allow all from 127.0.0.0/8 to any 17099
$IPF 48 deny all from any to me 17099
$IPF 49 allow all from 94.102.0.120 to any 19000
$IPF 50 allow all from 127.0.0.0/8 to any 19000
$IPF 51 deny all from any to me 19000
$IPF 52 allow all from 94.102.0.120 to any 19001
$IPF 53 allow all from 127.0.0.0/8 to any 19001
$IPF 54 deny all from any to me 19001
$IPF 55 allow all from 94.102.0.120 to any 19002
$IPF 56 allow all from 127.0.0.0/8 to any 19002
$IPF 57 deny all from any to me 19002
$IPF 58 allow all from 94.102.0.120 to any 19003
$IPF 59 allow all from 127.0.0.0/8 to any 19003
$IPF 60 deny all from any to me 19003
$IPF 61 allow all from 94.102.0.120 to any 19004
$IPF 62 allow all from 127.0.0.0/8 to any 19004
$IPF 63 deny all from any to me 19004
$IPF 64 allow all from 94.102.0.120 to any 19061
$IPF 65 allow all from 127.0.0.0/8 to any 19061
$IPF 66 deny all from any to me 19061
$IPF 67 allow all from 94.102.0.120 to any 19099
$IPF 68 allow all from 127.0.0.0/8 to any 19099
$IPF 69 deny all from any to me 19099
$IPF 70 allow all from 94.102.0.120 to any 21000
$IPF 71 allow all from 127.0.0.0/8 to any 21000
$IPF 72 deny all from any to me 21000
$IPF 73 allow all from 94.102.0.120 to any 21001
$IPF 74 allow all from 127.0.0.0/8 to any 21001
$IPF 75 deny all from any to me 21001
$IPF 76 allow all from 94.102.0.120 to any 21002
$IPF 77 allow all from 127.0.0.0/8 to any 21002
$IPF 78 deny all from any to me 21002
$IPF 79 allow all from 94.102.0.120 to any 21003
$IPF 80 allow all from 127.0.0.0/8 to any 21003
$IPF 81 deny all from any to me 21003
$IPF 82 allow all from 94.102.0.120 to any 21004
$IPF 83 allow all from 127.0.0.0/8 to any 21004
$IPF 84 deny all from any to me 21004
$IPF 85 allow all from 94.102.0.120 to any 21061
$IPF 86 allow all from 127.0.0.0/8 to any 21061
$IPF 87 deny all from any to me 21061
$IPF 88 allow all from 94.102.0.120 to any 21099
$IPF 89 allow all from 127.0.0.0/8 to any 21099
$IPF 90 deny all from any to me 21099
$IPF 91 allow all from 94.102.0.120 to any 15001
$IPF 92 allow all from 127.0.0.0/8 to any 15001
$IPF 93 deny all from any to me 15001
$IPF 200 allow tcp from any to any 11002 in
$IPF 210 allow tcp from any to any 11002 out
$IPF 200 allow udp from any to any 11002 in
$IPF 210 allow udp from any to any 11002 out
$IPF 200 allow tcp from any to any 13000 in
$IPF 210 allow tcp from any to any 13000 out
$IPF 200 allow tcp from any to any 13001 in
$IPF 210 allow tcp from any to any 13001 out
$IPF 200 allow tcp from any to any 13002 in
$IPF 210 allow tcp from any to any 13002 out
$IPF 200 allow tcp from any to any 13003 in
$IPF 210 allow tcp from any to any 13003 out
$IPF 200 allow tcp from any to any 13004 in
$IPF 210 allow tcp from any to any 13004 out
$IPF 200 allow tcp from any to any 13061 in
$IPF 210 allow tcp from any to any 13061 out
$IPF 200 allow tcp from any to any 13099 in
$IPF 210 allow tcp from any to any 13099 out
#Standart Regeln
$IPF 10000 allow all from any to any via lo0
$IPF 20000 deny all from any to 127.0.0.0/8
$IPF 30000 deny all from 127.0.0.0/8 to any
#$IPF 30000 deny all from ant to me 16000
$IPF 40000 allow all from any to any
Active Internet connections (including servers)
Proto Recv-Q Send-Q Local Address Foreign Address (state)
tcp4 0 0 94.102.0.120.13000 78.179.205.187.57011 SYN_RCVD
tcp4 0 0 94.102.0.120.13000 78.179.205.187.56995 SYN_RCVD
tcp4 0 0 94.102.0.120.13000 78.171.108.121.4817 SYN_RCVD
tcp4 0 0 94.102.0.120.13000 88.246.114.134.4721 SYN_RCVD
tcp4 0 0 94.102.0.120.13000 88.226.86.165.1342 SYN_RCVD
tcp4 0 0 94.102.0.120.13000 88.226.86.165.1318 SYN_RCVD
tcp4 0 0 94.102.0.120.13000 88.226.86.165.1314 SYN_RCVD
tcp4 0 0 94.102.0.120.13000 88.226.86.165.1308 SYN_RCVD
tcp4 0 0 94.102.0.120.13000 88.226.86.165.1302 SYN_RCVD
tcp4 0 0 94.102.0.120.13000 88.226.86.165.1238 SYN_RCVD
tcp4 0 0 94.102.0.120.13000 88.226.86.165.1138 SYN_RCVD
tcp4 0 0 94.102.0.120.13000 88.226.86.165.1080 SYN_RCVD
tcp4 0 0 94.102.0.120.13000 88.226.86.165.1058 SYN_RCVD
tcp4 0 0 94.102.0.120.13000 88.226.86.165.1044 SYN_RCVD
tcp4 0 0 94.102.0.120.13000 88.226.86.165.1038 SYN_RCVD
tcp4 0 0 94.102.0.120.13000 88.226.86.165.5000 SYN_RCVD
tcp4 0 0 94.102.0.120.13000 88.226.86.165.4962 SYN_RCVD
tcp4 0 0 94.102.0.120.13000 88.226.86.165.4956 SYN_RCVD
tcp4 0 0 94.102.0.120.13000 88.226.86.165.4910 SYN_RCVD
tcp4 0 0 94.102.0.120.13000 88.226.86.165.4906 SYN_RCVD
tcp4 0 0 94.102.0.120.13000 88.243.168.92.1150 SYN_RCVD
tcp4 0 0 94.102.0.120.13000 95.10.246.185.22212 SYN_RCVD
tcp4 0 0 94.102.0.120.13000 95.10.246.185.22210 SYN_RCVD
tcp4 0 0 94.102.0.120.13000 88.241.135.0.4034 SYN_RCVD
tcp4 0 0 94.102.0.120.13000 85.98.121.56.32937 SYN_RCVD
tcp4 0 0 94.102.0.120.13000 88.226.5.4.60363 SYN_RCVD
tcp4 0 0 94.102.0.120.13000 88.226.5.4.60353 SYN_RCVD
tcp4 0 0 94.102.0.120.13000 88.226.5.4.60349 SYN_RCVD
tcp4 0 0 94.102.0.120.13000 88.226.5.4.60347 SYN_RCVD
tcp4 0 0 94.102.0.120.13000 88.226.5.4.60343 SYN_RCVD
tcp4 0 0 94.102.0.120.13000 88.226.5.4.60341 SYN_RCVD
tcp4 0 0 94.102.0.120.13000 88.226.5.4.60741 SYN_RCVD
tcp4 0 0 94.102.0.120.13000 88.226.5.4.60739 SYN_RCVD
tcp4 0 0 94.102.0.120.13000 88.226.5.4.60737 SYN_RCVD
tcp4 0 0 94.102.0.120.13000 88.226.5.4.60725 SYN_RCVD
tcp4 0 0 94.102.0.120.13000 88.226.5.4.60721 SYN_RCVD
tcp4 0 0 94.102.0.120.13000 95.10.222.91.1786 SYN_RCVD
tcp4 0 0 94.102.0.120.13000 95.10.222.91.1904 SYN_RCVD
tcp4 0 0 94.102.0.120.13000 95.10.222.91.1886 SYN_RCVD
tcp4 0 0 94.102.0.120.13000 78.184.192.60.1517 SYN_RCVD
tcp4 0 0 94.102.0.120.13000 78.179.205.187.57012 SYN_RCVD
tcp4 0 0 94.102.0.120.13000 78.189.17.248.1093 SYN_RCVD
tcp4 0 0 94.102.0.120.13000 78.189.17.248.1091 SYN_RCVD
tcp4 0 0 94.102.0.120.13000 78.189.17.248.1089 SYN_RCVD
more...
...
...
..
mix_room said:Code:(max-src-conn-rate 3/30, overload <ssh-bruteforce> flush global)
Use pf and the overload tables.
block quick from <snort2c> to any label "Block snort2c hosts"
(max-src-conn 10, max-src-conn-rate 5/2, flush)
pfctl -t blockedips -T add 85.101.146.226
netstat -na | awk '{print $5}' | cut -f1,2,3,4 -d '.' | sort | uniq -c | sort -n
Print:
..
more..
16 127.0.0.1
31 *.*
42 94.102.0.123
62 0
850 95.7.227.212
1500 85.101.146.226