Hi all,

I still run a plan9 server attached to the net. I have always
had attacks from bots, viruses, script kiddies etc. and decided
to do something to reduce the load on my system - some attacks can be
quite persistant.

I have taken the idea from the linux log2ban script but I implemented it
a rather differently. 

I added two functions to libsec (for want of a better place), nuisance()
and banished(). the former allows you to log a failed authentication attempt,
dropped TLS connection etc. the latter tests for too many failures and drops
connections from repeat offenders.

nuisance() adds a single character (indicating the type of failure, 't' for TLS drop,
'a' for authentication failure etc), to an append only file in /lib/ndb/banished
named with the source IP address that is connecting. if that file gets too long
the address is becomes persona non-grata.

I have a cron jonb that deletes banishment files that have not been modified for a month
on the basis that hackers and bots get rounded up eventually.

I added these calls to dnstcp, listen, tlssrv, imap4d, httpd, smtpd, and secstored.
This is enough to cover all the network listners I have, and it works well, but feels
a little crude. I would be interested if anyone has a more elegant solution.

-Steve