Date: Mon, 10 Jan 2005 01:39:29 -0600 From: Gene <listmail@Bomgardner.net> To: artware <artware@gmail.com> Cc: freebsd-questions@freebsd.org Subject: Re: Blacklisting IPs Message-ID: <41E23131.5000502@Bomgardner.net> In-Reply-To: <fd091951050109222052228399@mail.gmail.com> References: <20050110035717.27062.qmail@web41008.mail.yahoo.com> <fd091951050109222052228399@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
I have the same problem - numerous attempts to crack accounts like "admin", Guest", "test", and so on. If it continually comes from the same IP, blocking that IP at the firewall should do the trick. However, if the attempts come from varying IPs and you intend to allow logins from the Internet, then you'd need to block out an unwieldy number of IP addresses. The best bet in this case is to make sure your system is as secure as possible. Disable telnet and allow only ssh logins. Make sure you use strong passwords, or better, try one time passwords. (See the handbook.) I use ssh, no telnet from outside the lan, with ssh restricted to allow only certain users/groups to login, and all those groups use opie for one time passwords. In addition, the firewall (I use IPF) is pretty tight, only allowing through the services I want available outside the lan. I do seem to recall a scheme that detects such things as port scans and automagically adds a rule to the firewall to block the offending IP address, but I doubt that would help in your case. One other thing I have done: Since a great many of the attempts come from IPs that resolve to the "pl" top level domain, I've just blocked any ip address that resolves to that domain altogether. I don't really expect any interest in my web site to come from Poland, so the action is feasible for me. I'm certain that others on the list will come up with better methods, but I just wanted to toss in my 2 cents worth. Gene artware wrote: >Hello again, > >My 5.3R system has only been up a little over a week, and I've already >had a few breakin attempts -- they show up as Illegal user tests in >the /var/log/auth.log... It looks like they're trying common login >names (probably with the login name used as passwd). It takes them >hours to try a dozen names, but I'd rather not have any traffic from >these folks. Is there any way to blacklist IPs at the system level, or >do I have to hack something together for each daemon? > >- ben >_______________________________________________ >freebsd-questions@freebsd.org mailing list >http://lists.freebsd.org/mailman/listinfo/freebsd-questions >To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" > > > >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?41E23131.5000502>