Quote:
I asked him for any suggestions or tips about parsing pflog and extracting IP's and if there was a way to put them into a table or whatever was possible, awaiting a reponse on that question.
|
Peter's reply to that question;
Quote:
There is a at least deamon in the base system that reads data off
pflog interfaces already: spamlogd.
By looking at /usr/src/libexec/spamlogd/spamlogd.c and likely the
table parts of pfctl it should be feasible to hack together something
that reads a specific pflog interface (I would suggest logging each
rule you're interested in to a separate pflog interface or at least
clustering the blocks that should be treated similarly), looks for
blocks instead of passes, updates table entries. Might even be a fun
project. I'm not sure I'll have the time to do much about in the short
run though.
|
I actually use snort and have it drop offending IP's into /etc/hosts.deny, i am certain that snort can be configured to your specifications regarding blocking port 22 TCP requests and blocked/logged accordingly.