From owner-freebsd-questions@FreeBSD.ORG Mon Jan 10 19:42:17 2005 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 461C816A4CE for ; Mon, 10 Jan 2005 19:42:17 +0000 (GMT) Received: from rproxy.gmail.com (rproxy.gmail.com [64.233.170.192]) by mx1.FreeBSD.org (Postfix) with ESMTP id C36B043D2F for ; Mon, 10 Jan 2005 19:42:16 +0000 (GMT) (envelope-from jez.hancock@gmail.com) Received: by rproxy.gmail.com with SMTP id j1so18543rnf for ; Mon, 10 Jan 2005 11:42:16 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:references; b=gNOYqRU6C+XrFmvrWFruMLd0tuBrOxwr12NVTrbxBTlWk3tfT5oYtTk+iLU5SK/8wOAN+Dtpk7VTPQqE/PZPOdehjKo5jd440+2HffZvm9IMz29aGZhIfuMtuhOwIgT+vg72oee9hHi8PL8i7JNkQySxneYYvhDoWmhv9TVmSSg= Received: by 10.38.96.53 with SMTP id t53mr11021rnb; Mon, 10 Jan 2005 11:42:16 -0800 (PST) Received: by 10.38.83.19 with HTTP; Mon, 10 Jan 2005 11:42:16 -0800 (PST) Message-ID: <7b3c7f0b0501101142223c3e36@mail.gmail.com> Date: Mon, 10 Jan 2005 19:42:16 +0000 From: Jez Hancock To: freebsd-questions@freebsd.org In-Reply-To: <20050110172303.GA7456@keyslapper.org> Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit References: <20050110172303.GA7456@keyslapper.org> Subject: Re: Blacklisting IPs X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Jez Hancock List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 10 Jan 2005 19:42:17 -0000 On Mon, 10 Jan 2005 12:23:04 -0500, Louis LeBlanc wrote: > On 01/10/05 12:20 AM, artware sat at the `puter and typed: > > Hello again, > > > > My 5.3R system has only been up a little over a week, and I've already > > had a few breakin attempts -- they show up as Illegal user tests in > > the /var/log/auth.log... It looks like they're trying common login > > names (probably with the login name used as passwd). It takes them > > hours to try a dozen names, but I'd rather not have any traffic from > > these folks. Is there any way to blacklist IPs at the system level, or > > do I have to hack something together for each daemon? > > > The best defense is a good firewall, good passwords, and restriction of > user ids that may login remotely. I started blocking the addresses that attacked but the frequency of the attacks made it impractical to add every attacking address to the firewall ruleset. I came to the conclusion that as long as the items you mention above are in place - especially good passwords - and the attacks aren't saturating the connection, then there's little to worry about - perhaps on a par with portscanning. Another fairly simple option though is to just change the port that sshd listens on since the attacks presume that sshd is listening on port 22. Not always practical though if you have lots of users. -- Jez Hancock - System Administrator / PHP Developer http://munk.nu/ http://freebsd.munk.nu/ - A FreeBSD Diary http://ipfwstats.sf.net/ - ipfw peruser traffic logging