Date: Mon, 8 Mar 2010 16:21:45 -0600 From: Jason Garrett <kingedgar@gmail.com> To: freebsd-questions@freebsd.org Subject: Re: Thousands of ssh probes Message-ID: <970380131003081421q13b77547p9f72d4894114d50@mail.gmail.com> In-Reply-To: <4B957617.9080000@locolomo.org> References: <20100305125446.GA14774@elwood.starfire.mn.org> <4B91B36D.1020507@locolomo.org> <20100307204114.GK16274@mail2.dcoder.net> <4B942D4B.6070407@locolomo.org> <970380131003080956u375be282wd5e5e4445841146f@mail.gmail.com> <4B957617.9080000@locolomo.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Mar 8, 2010 at 16:11, Erik Norgaard <norgaard@locolomo.org> wrote: > On 08/03/10 18:56, Jason Garrett wrote: > > Much better, restrict the client access to certain ranges of IPs. The >>> different registries publish ip ranges assigned per country and you can >>> create a list blocking countries you are certain not to visit, you can >>> use >>> my script: >>> >>> http://www.locolomo.org/pub/src/toolbox/inet.pl >>> >>> Great script! Just one question. Where do you put the list of denied i= p >> ranges? >> > > The output is written to be used with packet filter, if you use some othe= r > firewall you may need edit the script. If you use packet filter, then you > can dump the list into a file and create tables like this: > > table <blacklist> persist file "/etc/blacklist" > block in quick from <blacklist> > > I use blacklisting for mail while I use whitelisting for ssh. > > You should know the limits of the script, the problem is that some ranges > have been assigned directly by IANA, particularly for US. These are not > included. The list is limited as these are all /8 chunks, you can find it > here: > > http://www.iana.org/assignments/ipv4-address-space/ipv4-address-space.xml > > These ranges are managed by private organisations and assigned as they se= e > fit. > > There is another thing I'd like to filter by: I'd like to eliminate dynam= ic > ranges, particularly for mail. It's been recommended that reverse lookup > resolves to something like dyn.example.com or dynamic.example.com, but > there is no registry where you can simply look it up. > > Thanks! I'm not sure what ranges the OP is looking for, but I only want to allow from US ip's for now, since I never travel outside the country. > > BR, Erik > -- > Erik N=F8rgaard > Ph: +34.666334818/+34.915211157 http://www.locolomo.org > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to " > freebsd-questions-unsubscribe@freebsd.org" >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?970380131003081421q13b77547p9f72d4894114d50>