Date: Wed, 24 Aug 2005 08:45:46 -0700 From: "Gayn Winters" <gayn.winters@bristolsystems.com> To: "'Michael Dale'" <mdale@dalegroup.net>, "'Hornet'" <hornetmadness@gmail.com> Cc: 'ro ro' <ricking505@yahoo.com>, freebsd-questions@freebsd.org Subject: RE: Illegal access attempt - FreeBSD 5.4 Release - please advise Message-ID: <03a601c5a8c2$e5d042c0$c901a8c0@workdog> In-Reply-To: <430C5CAC.4050705@dalegroup.net>
next in thread | previous in thread | raw e-mail | index | archive | help
> -----Original Message----- > From: owner-freebsd-questions@freebsd.org > [mailto:owner-freebsd-questions@freebsd.org] On Behalf Of Michael Dale > Sent: Wednesday, August 24, 2005 4:40 AM > To: Hornet > Cc: ro ro; freebsd-questions@freebsd.org > Subject: Re: Illegal access attempt - FreeBSD 5.4 Release - > please advise > > > >Also, most if not all of the blocks below are Asia netblocks that I > >have had more then 3 attempts to gain access to my servers. > > > >220.0.0.0/8 > >202.0.0.0/7 > >134.208.0.0/16 > >218.0.0.0/8 > >210.0.0.0/7 > >221.0.0.0/8 > >219.0.0.0/8 > >195.116.0.0/16 > >59.0.0.0/8 > >195.133.91.0/24 > >222.0.0.0/8 > > > > > > > Not always a good idea. A lot of Australian users have been having > issues because of people doing this. More info here: > http://forums.whirlpool.net.au/forum-replies.cfm?t=324246#r2 > Such automated blocking is becoming common in the better Intrusion Detection Systems, which talk to their associated firewalls. If you are creating what is effectively a simple IDS, here are a couple thoughts: First, blocking reserved areas of the IP space seems a little different than fighting malicious hackers and spammers, but in either case, see (ii) below. Second, if someone legitimate is being blocked, they'll probably call you. You can put an earlier rule in the firewall to let them in. If you are running an ecommerce site, you might not want to block half the world; invest in a more powerful firewall/IDS combination. See (iii) below. Third, if you are automating the creation of your blocks (a good idea) then you could also do the following: (i) create blocks as narrow as possible given the attacks. First block the IP address, then if several nearby addresses attack, block that subnet, etc. (ii) allow the blocks to time-out after a while (as many IDS blocks do). If (i) turns them back on, then increase the length of the time-out. (iii) review your blocks every now and then either by reviewing your firewall logs or by having your (perl?) program check if (ii) turns off a block only to have (i) turn it on again of if it never cycles. BTW, our firewall blocks so many attacks per minute that its multi-colored console display is better than a soap opera! -gayn
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?03a601c5a8c2$e5d042c0$c901a8c0>