I'm worry about this.....

krasi_d · Dec 10, 2010

This morning I saw some message in auth.log - 'Did not receive identification string from 59.37.11.161'. I don't what mean this but this is public ip. Can some one to help me about this message?

SirDice · Dec 10, 2010

Ignore it. I get hundreds of those.

UNIXgod · Dec 10, 2010

you can block em with pf. most of the time they are coming from port scanners like nmap

krasi_d · Dec 10, 2010

UNIXgod said:
you can block em with pf. most of the time they are coming from port scanners like nmap

SirDice said:
Ignore it. I get hundreds of those.

I have some problem with pf, but it's fine when I can ignore it.
Thanks guys.

UNIXgod · Dec 10, 2010

krasi_d said:
I have some problem with pf, but it's fine when I can ignore it.
Thanks guys.

It's easy.

create a /etc/pf.conf file with:

Code:

table <BRUTEFORCE> persist

create a shell wrapper called addbrute in /root/bin

Code:

#!/bin/sh

# for non offenders:
# pfctl -t bruteforce -T delete <IP>

/sbin/pfctl -t BRUTEFORCE -T add $*

now when you see one of bastards in your auth logs simply type as root:

addbrute 123.456.789.012

If you want to expire the brutes (ips change often enough) pop thin in a cron job

/sbin/pfctl -t BRUTEFORCE -T expire 86400 >/dev/null 2>&1

Further information on setting up the service inside FreeBSD can be found here:
http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls-pf.html

I'm worry about this.....

krasi_d

SirDice

Administrator

UNIXgod

krasi_d

UNIXgod