From owner-freebsd-questions@FreeBSD.ORG Sun Feb 5 21:57:39 2006 Return-Path: X-Original-To: questions@freebsd.org Delivered-To: freebsd-questions@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 80D8616A422 for ; Sun, 5 Feb 2006 21:57:39 +0000 (GMT) (envelope-from ldrada@gmail.com) Received: from uproxy.gmail.com (uproxy.gmail.com [66.249.92.200]) by mx1.FreeBSD.org (Postfix) with ESMTP id CC4CA43D5C for ; Sun, 5 Feb 2006 21:57:36 +0000 (GMT) (envelope-from ldrada@gmail.com) Received: by uproxy.gmail.com with SMTP id u2so466457uge for ; Sun, 05 Feb 2006 13:57:35 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=f08/7mbg+GsMqLelNJhUNAzvwdO4A/LEuOdlfdtccodcih6ubvxZCSz8Yy3wTuf5HQ2jBUqOtUCKioyPIELdb5Cv6KNNgphZxFsIUEDq0YHSjlL8j8s/TASEKOAzgkLHAn7VVmThIrxVQez1AHC7ECJBT70PmXC3jrhUtLd1RXw= Received: by 10.48.49.7 with SMTP id w7mr1036175nfw; Sun, 05 Feb 2006 13:57:34 -0800 (PST) Received: by 10.48.108.10 with HTTP; Sun, 5 Feb 2006 13:57:34 -0800 (PST) Message-ID: <5ceb5d550602051357r27f07864lb408168902a68e12@mail.gmail.com> Date: Sun, 5 Feb 2006 22:57:34 +0100 From: "Daniel A." To: fbsd_user@a1poweruser.com In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: <20060205103027.D7469@bsd.maa-net.net> Cc: questions@freebsd.org, "Michael A. Alestock" Subject: Re: IP Banning (Using IPFW) X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 05 Feb 2006 21:57:39 -0000 On 2/5/06, fbsd_user wrote: > I find this kind of approach is treating the symptom and not the > cause. > The basic problem is the services have well published port numbers > and attackers beat on those known port numbers. A much simpler > approach is to change the standard port numbers to some high order > port number. See /etc/services SSH logon command allows for a port > number and the same for telnet. Your remote users will be the only > people knowing your selected port numbers for those services. This > way a attackers port scan will show the well published port numbers > as not open so they will pass on attacking those ports on your ip > address. This way your bandwidth usage will be reduced as attackers > find your ip address as having nothing of interest. > > This same kind of thing can also be done for port 80 by using the > web forwarding function of Zoneedit pointing to different port for > your web server. Only people coming to your site through dns will be > forwarded to the correct port. > > The clear key here is attackers roll through a large range of ip > address port scanning for open ports. By using nonstandard port > numbers for your services you stop the attacker even finding you in > the first place. > > good luck what ever you choose to do. You just argued against yourself. If an attacker is genuinely interested in rooting someones box, that attacker will most likely portscan the box - And thereby discovering that you have assigned alternative port numbers to your services. Security through obscurity is a bad place to start. > > -----Original Message----- > From: owner-freebsd-questions@freebsd.org > [mailto:owner-freebsd-questions@freebsd.org]On Behalf Of Michael A. > Alestock > Sent: Sunday, February 05, 2006 10:42 AM > To: questions@freebsd.org > Subject: IP Banning (Using IPFW) > Importance: High > > > Hello, > > I was wondering if there's some sort of port available that can > actively > ban IPs that try and bruteforce a service such as SSH or Telnet, by > scanning the /var/log/auth.log log for Regex such as "Illegal User" > or > "LOGIN FAILURES", and then using IPFW to essentially deny (ban) that > IP > for a certain period of time or possibly forever. > > I've seen a very useful one that works for linux (fail2ban), and was > wondering if one exists for FreeBSD's IPFW? > > I've looked around in /usr/ports/security and /usr/ports/net but > can't > seem to find anything that closely resembles that. > > Your help would be greatly appreciated.... Thanks in advance! > > >> Michael A., USA... Loyal FreeBSD user since 2000. > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to > "freebsd-questions-unsubscribe@freebsd.org" > > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.o= rg" >