pf.conf output to bruteforce file
I have the following rule in pf.conf:
# bruteforce blocking
block quick from <bruteforce>
pass inet proto tcp to $nic port ssh \
keep state (max-src-conn 10, max-src-conn-rate 5/5 \
overload <bruteforce> flush global)
Where should the bruteforce file be placed and with which permissions to have pf write out information for bruteforced attempts?
It has been a while when I played with pf tables.
AFAIK pf keeps the contents of tables in memory. But according the pfctl man page you can show/display the contents of a table with pfctl -t bruteforce -T show
So if you redirect that output to file with something like pfctl -t bruteforce -T show >bruteforce.txt you have those addresses in a file.
How to use that file for a next reload of the pf.conf rules is well explained in the pf users guide and pfctl man page.
For permissions I would start with the same as "/etc/pf.conf" : rw for root, nothing for group and world.
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
|Thread||Thread Starter||Forum||Replies||Last Post|
|DVI output in X||backrow||OpenBSD General||5||14th April 2011 04:39 AM|
|output to a file in java||c0mrade||Programming||4||15th October 2009 07:55 AM|
|difference between rc.conf and loader.conf||disappearedng||FreeBSD General||5||3rd September 2008 05:54 AM|
|C and file input/output||18Googol2||Programming||3||20th August 2008 04:02 PM|
|strange security run output||deadeyes||FreeBSD Security||5||2nd July 2008 04:51 PM|