From owner-freebsd-questions@FreeBSD.ORG Mon Oct 11 10:53:23 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1701C16A4CE for ; Mon, 11 Oct 2004 10:53:23 +0000 (GMT) Received: from mail1.interlite.net (ns1.interlite.net [62.119.93.194]) by mx1.FreeBSD.org (Postfix) with ESMTP id CDC3443D49 for ; Mon, 11 Oct 2004 10:53:21 +0000 (GMT) (envelope-from pelle@spd.nu) Received: (qmail 15234 invoked by uid 89); 11 Oct 2004 12:49:51 +0200 Received: from unknown (HELO PELLEANDERSSON) (62.119.94.78) by mail1.interlite.net with SMTP; 11 Oct 2004 12:49:51 +0200 From: "Pelle Andersson" To: "'uidzero'" Date: Mon, 11 Oct 2004 12:53:20 +0200 Organization: SPD Systems Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook, Build 11.0.5510 In-Reply-To: <416A60A3.8060906@one-arm.com> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 Thread-Index: AcSvfRAnw+H1pHDhTk6OI6zrDl38PQAAXcoA X-Spam-DCC: : X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on server1.interlite.net X-Spam-Level: X-Spam-Status: No, hits=0.0 required=5.0 tests=none autolearn=no version=2.63 cc: freebsd-questions@freebsd.org Subject: Re: Adding network & IP to hosts.deny X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: pelle@spd.nu List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 11 Oct 2004 10:53:23 -0000 Thanks all for you replys! Yes the IP addresses is changing all the time. The pages I serve are for one country only (.se) so I think I can block whole nets without any problem. If the pages where International there would be a problem I think. 2 new questions. 1. Is it possible to block a whole network with IPFW? Like this for example: --- ${fwcmd} add 961 deny IP from 192.168.100.0/24 to any --- 2. Do I also need to raise the number 961 by one in the above line for each new rule-line I add? In the meantime, I need/want/must to learn IPFW =) Thank again, Best regards Rob wrote: > uidzero wrote: > >> Pelle Andersson wrote: >> >>> Hi! >>> >>> I have a lot of login attempts from various networks and IP >>> addresses on my FBSD 4.10 server. I have read the man pages for >>> hosts.deny but do not understand how to add networks and IP addresses to it. >>> >> >> I use "/etc/rc.ipfw"... >> >> >> ${fwcmd} add 300 deny IP from 24.19.0.105 to any ${fwcmd} add 301 >> deny IP from 24.79.68.179 to any ${fwcmd} add 400 deny IP from >> 61.100.180.125 to any ${fwcmd} add 401 deny IP from 61.206.125.28 to >> any ${fwcmd} add 402 deny IP from 61.211.239.236 to any ${fwcmd} add >> 500 deny IP from 63.144.19.6 to any ${fwcmd} add 501 deny IP from >> 64.246.20.123 to any ${fwcmd} add 502 deny IP from 66.223.46.129 to >> any ${fwcmd} add 503 deny IP from 67.81.127.99 to any ${fwcmd} add >> 600 deny IP from 81.223.99.90 to any ${fwcmd} add 700 deny IP from >> 140.112.124.123 to any ${fwcmd} add 701 deny IP from 159.226.2.161 to >> any ${fwcmd} add 702 deny IP from 163.25.65.3 to any ${fwcmd} add 703 >> deny IP from 193.145.87.3 to any ${fwcmd} add 800 deny IP from >> 202.57.191.179 to any ${fwcmd} add 801 deny IP from 202.226.185.150 >> to any ${fwcmd} add 810 deny IP from 203.71.62.9 to any ${fwcmd} add >> 113 deny IP from 203.98.166.25 to any ${fwcmd} add 812 deny IP from >> 203.115.96.151 to any ${fwcmd} add 813 deny IP from 203.169.248.5 to >> any ${fwcmd} add 814 deny IP from 203.186.157.37 to any ${fwcmd} add >> 830 deny IP from 205.209.141.50 to any ${fwcmd} add 870 deny IP from >> 209.88.93.138 to any ${fwcmd} add 871 deny IP from 209.172.103.235 to >> any ${fwcmd} add 880 deny IP from 210.204.129.11 to any ${fwcmd} add >> 890 deny IP from 211.60.219.250 to any ${fwcmd} add 891 deny IP from >> 211.221.246.28 to any ${fwcmd} add 892 deny IP from 211.251.71.2 to >> any ${fwcmd} add 893 deny IP from 211.252.9.126 to any ${fwcmd} add >> 940 deny IP from 216.29.112.126 to any ${fwcmd} add 950 deny IP from >> 217.172.182.148 to any ${fwcmd} add 960 deny IP from 218.21.129.105 >> to any ${fwcmd} add 961 deny IP from 218.49.183.17 to any ${fwcmd} >> add 962 deny IP from 218.102.19.78 to any ${fwcmd} add 963 deny IP >> from 218.237.66.152 to any ${fwcmd} add 970 deny IP from >> 220.64.223.249 to any ${fwcmd} add 971 deny IP from 220.73.215.151 to >> any ${fwcmd} add 980 deny IP from 221.3.131.80 to any ${fwcmd} add >> 981 deny IP from 221.12.11.118 to any ${fwcmd} add 982 deny IP from >> 222.56.118.124 to any > > > I have attacks by similar IP numbers. However, I discovered that these > IP numbers are used only once to attack my PC. > Next attack will be from a different IP number. So adding the IP > numbers to your list each time after an attack, will make your > deny-list longer and longer, but won't make it more effective, since > it doesn't protect you against the attackers next attempts. > > Unless, of course, someone is attacking again and again from the same > IP number; but that is not what I observe. > > Rob. > > Actually, quite a few has attempted several times from the same IPs. I figure if it gets to big, I'll just block the whole class. What do I care if a whole country can't access my lil webserver? :) Thanks for the comment. Michael -- Michael D. Whities uidzero@one-arm.com http://www.one-arm.com -- There are four colors of hats to watch for: Black, White, Grey, and Red. The meanings are: Cracker, Hacker, Guru, and Victim. _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"