# proper tool for honeypot triggered "deny" rules



## advantagecom (May 28, 2010)

Hello,

We're hoping to create some firewall rules that will do something like this in real time:

<random bad guy> opens tcp port 22 on 10.0.0.5/32 [our trigger rule]
<random bad guy> denied access to 10.0.0.0/16 [the rule activated by the trigger]

The firewall is deployed as a bridge, so it is capable of protecting multiple hosts at once.

In reality, we don't care if they're denied or simply slowed to an unuseable crawl. We just want to prevent the constant barrage of ssh brute force attempts from creating DOS situations across thousands of hosts. If we see a disallowed connection to ssh on certain hosts, we want the rest of our network protected from that IP since it is obviously rogue. Ideally, the bad guy IP would timeout from the deny rule after something like 6 hours of inactivity from the bad guy IP or similar.

We're currently setup with ipfw, but we're open to any native FreeBSD firewalling package and/or tools found in ports. We are also willing to consider non-native tools that compile cleanly or are just shell scripting.

I've mucked around with ipfw for awhile now with dynamic rules, pipes, and so forth, but in each case the resulting dynamic rule is too specific to be of any real use.

Linux has the iptables "recent" module to handle this type of thing.

I would imagine that if there is a way to dynamically add source IP addresses matching a trigger rule to an address table that is used in a later deny rule that that would be equivalent, but I haven't been able to figure out which firewall package can do that, if any.

Can anyone point me in the right direction? I'm happy to read any documentation for tools that can do this.


----------



## wblock@ (May 28, 2010)

mail/spamd (http://freebsdspamd.berlios.de/) comes highly recommended (although I haven't tried it yet).


----------



## SirDice (May 30, 2010)

advantagecom said:
			
		

> We just want to prevent the constant barrage of ssh brute force attempts from creating DOS situations across thousands of hosts. If we see a disallowed connection to ssh on certain hosts, we want the rest of our network protected from that IP since it is obviously rogue. Ideally, the bad guy IP would timeout from the deny rule after something like 6 hours of inactivity from the bad guy IP or similar.
> 
> We're currently setup with ipfw, but we're open to any native FreeBSD firewalling package and/or tools found in ports. We are also willing to consider non-native tools that compile cleanly or are just shell scripting.
> 
> I've mucked around with ipfw for awhile now with dynamic rules, pipes, and so forth, but in each case the resulting dynamic rule is too specific to be of any real use.


Install security/sshguard-ipfw.


----------

