Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 11 Oct 2004 12:53:20 +0200
From:      "Pelle Andersson" <pelle@spd.nu>
To:        "'uidzero'" <uidzero@one-arm.com>
Cc:        freebsd-questions@freebsd.org
Subject:   Re: Adding network & IP to hosts.deny
Message-ID:  <!~!UENERkVCMDkAAQACAAAAAAAAAAAAAAAAABgAAAAAAAAArvdSa/sjb0OI1eLKLXuK1sKAAAAQAAAAGPMHS+PPcE+/vGQudy/SCwEAAAAA@spd.nu>
In-Reply-To: <416A60A3.8060906@one-arm.com>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
 
Thanks all for you replys!

Yes the IP addresses is changing all the time. The pages I serve
are for one country only (.se) so I think I can block whole nets
without any problem. If the pages where International there would
be a problem I think.

2 new questions.

1. Is it possible to block a whole network with IPFW?

Like this for example:
---
${fwcmd} add 961 deny IP from 192.168.100.0/24 to any
---

2. Do I also need to raise the number 961 by one in the above line for
each
new rule-line I add?



In the meantime, I need/want/must to learn IPFW =)

Thank again,
Best regards









Rob wrote:

> uidzero wrote:
>
>> Pelle Andersson wrote:
>>
>>> Hi!
>>>
>>> I have a lot of login attempts from various networks and IP 
>>> addresses on my FBSD 4.10 server. I have read the man pages for 
>>> hosts.deny but do not understand how to add networks and IP
addresses to it.
>>>
>>
>> I use "/etc/rc.ipfw"...
>>
>>
>> ${fwcmd} add 300 deny IP from 24.19.0.105 to any ${fwcmd} add 301 
>> deny IP from 24.79.68.179 to any ${fwcmd} add 400 deny IP from 
>> 61.100.180.125 to any ${fwcmd} add 401 deny IP from 61.206.125.28
to 
>> any ${fwcmd} add 402 deny IP from 61.211.239.236 to any ${fwcmd}
add 
>> 500 deny IP from 63.144.19.6 to any ${fwcmd} add 501 deny IP from 
>> 64.246.20.123 to any ${fwcmd} add 502 deny IP from 66.223.46.129 to

>> any ${fwcmd} add 503 deny IP from 67.81.127.99 to any ${fwcmd} add 
>> 600 deny IP from 81.223.99.90 to any ${fwcmd} add 700 deny IP from 
>> 140.112.124.123 to any ${fwcmd} add 701 deny IP from 159.226.2.161
to 
>> any ${fwcmd} add 702 deny IP from 163.25.65.3 to any ${fwcmd} add
703 
>> deny IP from 193.145.87.3 to any ${fwcmd} add 800 deny IP from 
>> 202.57.191.179 to any ${fwcmd} add 801 deny IP from 202.226.185.150

>> to any ${fwcmd} add 810 deny IP from 203.71.62.9 to any ${fwcmd}
add 
>> 113 deny IP from 203.98.166.25 to any ${fwcmd} add 812 deny IP from

>> 203.115.96.151 to any ${fwcmd} add 813 deny IP from 203.169.248.5
to 
>> any ${fwcmd} add 814 deny IP from 203.186.157.37 to any ${fwcmd}
add 
>> 830 deny IP from 205.209.141.50 to any ${fwcmd} add 870 deny IP
from 
>> 209.88.93.138 to any ${fwcmd} add 871 deny IP from 209.172.103.235
to 
>> any ${fwcmd} add 880 deny IP from 210.204.129.11 to any ${fwcmd}
add 
>> 890 deny IP from 211.60.219.250 to any ${fwcmd} add 891 deny IP
from 
>> 211.221.246.28 to any ${fwcmd} add 892 deny IP from 211.251.71.2 to

>> any ${fwcmd} add 893 deny IP from 211.252.9.126 to any ${fwcmd} add

>> 940 deny IP from 216.29.112.126 to any ${fwcmd} add 950 deny IP
from 
>> 217.172.182.148 to any ${fwcmd} add 960 deny IP from 218.21.129.105

>> to any ${fwcmd} add 961 deny IP from 218.49.183.17 to any ${fwcmd} 
>> add 962 deny IP from 218.102.19.78 to any ${fwcmd} add 963 deny IP 
>> from 218.237.66.152 to any ${fwcmd} add 970 deny IP from 
>> 220.64.223.249 to any ${fwcmd} add 971 deny IP from 220.73.215.151
to 
>> any ${fwcmd} add 980 deny IP from 221.3.131.80 to any ${fwcmd} add 
>> 981 deny IP from 221.12.11.118 to any ${fwcmd} add 982 deny IP from

>> 222.56.118.124 to any
>
>
> I have attacks by similar IP numbers. However, I discovered that
these 
> IP numbers are used only once to attack my PC.
> Next attack will be from a different IP number. So adding the IP 
> numbers to your list each time after an attack, will make your 
> deny-list longer and longer, but won't make it more effective, since

> it doesn't protect you against the attackers next attempts.
>
> Unless, of course, someone is attacking again and again from the
same 
> IP number; but that is not what I observe.
>
> Rob.
>
>

Actually, quite a few has attempted several times from the same IPs. I
figure if it gets to big, I'll just block the whole class. What do I
care if a whole country can't access my lil webserver? :)

Thanks for the comment.

Michael

--
Michael D. Whities
uidzero@one-arm.com
http://www.one-arm.com

--

There are four colors of hats to watch for: 
Black, White, Grey, and Red.

The meanings are: 
Cracker, Hacker, Guru, and Victim.

_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to
"freebsd-questions-unsubscribe@freebsd.org"



Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?!~!UENERkVCMDkAAQACAAAAAAAAAAAAAAAAABgAAAAAAAAArvdSa/sjb0OI1eLKLXuK1sKAAAAQAAAAGPMHS+PPcE+/vGQudy/SCwEAAAAA>