From owner-freebsd-stable@FreeBSD.ORG Thu Dec 21 15:33:29 2006 Return-Path: X-Original-To: freebsd-stable@FreeBSD.ORG Delivered-To: freebsd-stable@FreeBSD.ORG Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 7D7B816A416 for ; Thu, 21 Dec 2006 15:33:29 +0000 (UTC) (envelope-from olli@lurza.secnetix.de) Received: from lurza.secnetix.de (lurza.secnetix.de [83.120.8.8]) by mx1.freebsd.org (Postfix) with ESMTP id E244713C43E for ; Thu, 21 Dec 2006 15:33:28 +0000 (UTC) (envelope-from olli@lurza.secnetix.de) Received: from lurza.secnetix.de (hupcry@localhost [127.0.0.1]) by lurza.secnetix.de (8.13.4/8.13.4) with ESMTP id kBLFXLH3090582; Thu, 21 Dec 2006 16:33:27 +0100 (CET) (envelope-from oliver.fromme@secnetix.de) Received: (from olli@localhost) by lurza.secnetix.de (8.13.4/8.13.1/Submit) id kBLFXLaW090581; Thu, 21 Dec 2006 16:33:21 +0100 (CET) (envelope-from olli) Date: Thu, 21 Dec 2006 16:33:21 +0100 (CET) Message-Id: <200612211533.kBLFXLaW090581@lurza.secnetix.de> From: Oliver Fromme To: freebsd-stable@FreeBSD.ORG, suhailc@gmail.com In-Reply-To: X-Newsgroups: list.freebsd-stable User-Agent: tin/1.8.2-20060425 ("Shillay") (UNIX) (FreeBSD/4.11-STABLE (i386)) MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-2.1.2 (lurza.secnetix.de [127.0.0.1]); Thu, 21 Dec 2006 16:33:27 +0100 (CET) Cc: Subject: Re: Block IP X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: freebsd-stable@FreeBSD.ORG, suhailc@gmail.com List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 Dec 2006 15:33:29 -0000 Suhail Choudhury wrote: > What's the easiest way to add an IP such as 80.192.49.213 to block it? Easy: # ipfw add deny ip from 80.192.49.213 to me Depending on your existing rules, you might have to specify a rule number, so the new rule is inserted at an appropriate position. Please refer to the ipfw(8) manual page for details. > Also how do I block out IPs after a certain number of invalid login > attempts to prevent brute forcing? In general that's not a good idea. If you do it wrong, it makes DoS attacks against your machine easier (i.e. a clever attacker might be able to lock yourself out of your own machine). And getting it right is not easy. The best way to prevent brute-forcing is to use good pass- words, or -- even better -- don't use passwords at all, but key authentication or OTP (SKey / OPIE). Another thing that you can do is to move the sshd to a non- standard port (i.e. something other than 22). Attackers who look for machines for brute-forcing usually scan networks for port 22 only. However, note that using a non-standard port does _not_ make your machine more secure (that would rather be "security by obscurity"). It only prevents your machine from appearing in standard ssh scans, so it gets rid of almost all of the "ssh login failures" in your daily run output which result from such attempts. Best regards Oliver -- Oliver Fromme, secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing Dienstleistungen mit Schwerpunkt FreeBSD: http://www.secnetix.de/bsd Any opinions expressed in this message may be personal to the author and may not necessarily reflect the opinions of secnetix in any way. "We, the unwilling, led by the unknowing, are doing the impossible for the ungrateful. We have done so much, for so long, with so little, we are now qualified to do anything with nothing."         -- Mother Teresa