Hi,
I frequently check my logs and there are always some ips that are trying to get access to my system using bruteforce or some other scripts. I have never needed a tool to examine my logs and report such attacks, cause I'm looking at my logs very frequently, but now when I won't have that opportunity ( I won't be at home for a certain time ), I'd like to use such a tool that examines the logs and blocks..
What I'm using right now is a table in PF that reads /etc/blocked_ips and blocks each ip listed in the file.
Code:
# --- block every ip from /etc/blocked_ips file ---
table <blocked_ips> persist file "/etc/blocked_ips"
# --- block every ip from /etc/blocked_ips file
block in log quick on $ext_if from <blocked_ips> to any
I'd like to use a script that examines for bad ssh logins (/var/log/auth), bad smtp attempts (/var/log/maillog), etc..
I want to ask you - what kind of automatic protection are you using? Some kind of a self-written scripts, or some ports that examines the logs and put the bad ips in file?
Thanks!