Dynamic IP log retention = 0?

Alec Berry alec.berry at restontech.com
Wed Mar 11 16:57:19 UTC 2009

Hash: SHA1

Jon Lewis wrote:

> If port scans really bother you, then you should setup a system to detect 
> them, and regularly rebuild ACLs/null route lists/etc. to stop them in 
> near real time.  AFAIK, Cisco sells such a product, as do other network 
> vendors I'm sure.

It is pretty easy to do this with pf running on OpenBSD (et al). You can
even set a timeout so that additions to a banned list get removed after
x {hours,days,weeks}

table evil persist {}

block in log quick from <evil> to any label "evil"

pass in quick proto {tcp,udp} from any to any port 1024:65000 \
	synproxy state \
	(max-src-conn-rate 5/15, overload <evil> flush global)

Pick a port range and/or ip address range combo that you don't have
anything running on for the rule, then as scans take place the offending
IP will be added to the evil table and blocked. OK, there are some
additional details for expiring the evil IPs, and of course your own
network details. But this has worked quite well for me, and I love
checking the evil table from time to time to see who's been naughty.

My best guess is other firewalls can do something similar.


- --
/ Alec Berry \______________________________
| Senior Partner and Director of Technology \
| PGP/GPG key 0xE8E9030F                    |
| http://alec.restontech.com/#PGP           |
|             RestonTech, Ltd.              |
|        http://www.restontech.com/         |
|          Phone: (703) 234-2914            |
Version: GnuPG v1.4.2 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org


More information about the NANOG mailing list