# I'm worry about this.....



## krasi_d (Dec 10, 2010)

This morning I saw some message in auth.log - 'Did not receive identification string from 59.37.11.161'. I don't what mean this but this is public ip. Can some one to help me about this message?


----------



## SirDice (Dec 10, 2010)

Ignore it. I get hundreds of those.


----------



## UNIXgod (Dec 10, 2010)

you can block em with pf. most of the time they are coming from port scanners like nmap


----------



## krasi_d (Dec 10, 2010)

UNIXgod said:
			
		

> you can block em with pf. most of the time they are coming from port scanners like nmap





			
				SirDice said:
			
		

> Ignore it. I get hundreds of those.




I have some problem with pf, but it's fine when I can ignore it.
Thanks guys.


----------



## UNIXgod (Dec 10, 2010)

krasi_d said:
			
		

> I have some problem with pf, but it's fine when I can ignore it.
> Thanks guys.



It's easy.

create a /etc/pf.conf file with:


```
table <BRUTEFORCE> persist
```

create a shell wrapper called addbrute in /root/bin


```
#!/bin/sh

# for non offenders:
# pfctl -t bruteforce -T delete <IP>

/sbin/pfctl -t BRUTEFORCE -T add $*
```

now when you see one of bastards in your auth logs simply type as root: 





> addbrute 123.456.789.012



If you want to expire the brutes (ips change often enough) pop thin in a cron job



> /sbin/pfctl -t BRUTEFORCE -T expire 86400 >/dev/null 2>&1



Further information on setting up the service inside FreeBSD can be found here:
http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls-pf.html


----------

