[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[OpenBSD-pf] dynamic filtering based on httpd error_log
I've had my OpenBSD box running as a server for a few months
now. I've shutdown all services except the ones I want, one of which is
httpd. I am curious if anyone out there has setup a tail on httpd's
error_log with the intent to block IP's using pf. I'm relatively new to
the world of firewalls although I have a general understanding of TCP/IP
architecture. Basically what I'd like to do is as follows:
a) attempts to access cmd.exe or similar quick drop, send me an e-mail
so I can look-up the network owner on ARIN to contact them concerning
a malicious box, restore in a day, week, not sure really.
b) 3 attempts to access invalid/non-existent files quick blocks the IP
, restore in 10-20mins.
c) malformed headers quick blocks IP, restore in 1-5mins.
I'm primarily interested in dynamic addition and removal of rule
sets using pf. Would I be correct in using `pfctl -k AnnoyingIP` to
remove the rule? I haven't a clue as to how I would add a rule to the
set. Is concatenating to the end of a pf.conf copy and then
loading the new ruleset my only option? Would it be advisable to
directly manipulate the rulesets with a C program? Any help with this
would be greatly appreciated. Thanks in advance.