Date: Mon, 11 Oct 2004 13:10:18 +0200 From: Mark Frasa <mark@frasa.net> To: freebsd-questions@freebsd.org Subject: Re: Adding network & IP to hosts.deny Message-ID: <20041011111018.GB22646@ws01.frasa.net>
next in thread | raw e-mail | index | archive | help
--gj572EiMnwbLXET9 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable ----- Forwarded message from Mark Frasa <mark@frasa.net> ----- =46rom: Mark Frasa <mark@frasa.net> Subject: Re: Adding network & IP to hosts.deny To: Pelle Andersson <pelle@spd.nu> Reply-To: Mark Frasa <mark@frasa.net> Date: Mon, 11 Oct 2004 13:05:04 +0200 User-Agent: Mutt/1.5.6i Message-ID: <20041011110504.GA22646@ws01.frasa.net> On 2004.10.11 12:53:20 +0200, Pelle Andersson wrote: > =20 > Thanks all for you replys! >=20 > Yes the IP addresses is changing all the time. The pages I serve > are for one country only (.se) so I think I can block whole nets > without any problem. If the pages where International there would > be a problem I think. >=20 > 2 new questions. >=20 > 1. Is it possible to block a whole network with IPFW? >=20 > Like this for example: > --- > ${fwcmd} add 961 deny IP from 192.168.100.0/24 to any > --- >=20 > 2. Do I also need to raise the number 961 by one in the above line for > each > new rule-line I add? >=20 >=20 >=20 > In the meantime, I need/want/must to learn IPFW =3D) >=20 > Thank again, > Best regards >=20 >=20 >=20 >=20 >=20 >=20 >=20 >=20 >=20 > Rob wrote: >=20 > > uidzero wrote: > > > >> Pelle Andersson wrote: > >> > >>> Hi! > >>> > >>> I have a lot of login attempts from various networks and IP=20 > >>> addresses on my FBSD 4.10 server. I have read the man pages for=20 > >>> hosts.deny but do not understand how to add networks and IP > addresses to it. > >>> > >> > >> I use "/etc/rc.ipfw"... > >> > >> > >> ${fwcmd} add 300 deny IP from 24.19.0.105 to any ${fwcmd} add 301=20 > >> deny IP from 24.79.68.179 to any ${fwcmd} add 400 deny IP from=20 > >> 61.100.180.125 to any ${fwcmd} add 401 deny IP from 61.206.125.28 > to=20 > >> any ${fwcmd} add 402 deny IP from 61.211.239.236 to any ${fwcmd} > add=20 > >> 500 deny IP from 63.144.19.6 to any ${fwcmd} add 501 deny IP from=20 > >> 64.246.20.123 to any ${fwcmd} add 502 deny IP from 66.223.46.129 to >=20 > >> any ${fwcmd} add 503 deny IP from 67.81.127.99 to any ${fwcmd} add=20 > >> 600 deny IP from 81.223.99.90 to any ${fwcmd} add 700 deny IP from=20 > >> 140.112.124.123 to any ${fwcmd} add 701 deny IP from 159.226.2.161 > to=20 > >> any ${fwcmd} add 702 deny IP from 163.25.65.3 to any ${fwcmd} add > 703=20 > >> deny IP from 193.145.87.3 to any ${fwcmd} add 800 deny IP from=20 > >> 202.57.191.179 to any ${fwcmd} add 801 deny IP from 202.226.185.150 >=20 > >> to any ${fwcmd} add 810 deny IP from 203.71.62.9 to any ${fwcmd} > add=20 > >> 113 deny IP from 203.98.166.25 to any ${fwcmd} add 812 deny IP from >=20 > >> 203.115.96.151 to any ${fwcmd} add 813 deny IP from 203.169.248.5 > to=20 > >> any ${fwcmd} add 814 deny IP from 203.186.157.37 to any ${fwcmd} > add=20 > >> 830 deny IP from 205.209.141.50 to any ${fwcmd} add 870 deny IP > from=20 > >> 209.88.93.138 to any ${fwcmd} add 871 deny IP from 209.172.103.235 > to=20 > >> any ${fwcmd} add 880 deny IP from 210.204.129.11 to any ${fwcmd} > add=20 > >> 890 deny IP from 211.60.219.250 to any ${fwcmd} add 891 deny IP > from=20 > >> 211.221.246.28 to any ${fwcmd} add 892 deny IP from 211.251.71.2 to >=20 > >> any ${fwcmd} add 893 deny IP from 211.252.9.126 to any ${fwcmd} add >=20 > >> 940 deny IP from 216.29.112.126 to any ${fwcmd} add 950 deny IP > from=20 > >> 217.172.182.148 to any ${fwcmd} add 960 deny IP from 218.21.129.105 >=20 > >> to any ${fwcmd} add 961 deny IP from 218.49.183.17 to any ${fwcmd}=20 > >> add 962 deny IP from 218.102.19.78 to any ${fwcmd} add 963 deny IP=20 > >> from 218.237.66.152 to any ${fwcmd} add 970 deny IP from=20 > >> 220.64.223.249 to any ${fwcmd} add 971 deny IP from 220.73.215.151 > to=20 > >> any ${fwcmd} add 980 deny IP from 221.3.131.80 to any ${fwcmd} add=20 > >> 981 deny IP from 221.12.11.118 to any ${fwcmd} add 982 deny IP from >=20 > >> 222.56.118.124 to any > > > > > > I have attacks by similar IP numbers. However, I discovered that > these=20 > > IP numbers are used only once to attack my PC. > > Next attack will be from a different IP number. So adding the IP=20 > > numbers to your list each time after an attack, will make your=20 > > deny-list longer and longer, but won't make it more effective, since >=20 > > it doesn't protect you against the attackers next attempts. > > > > Unless, of course, someone is attacking again and again from the > same=20 > > IP number; but that is not what I observe. > > > > Rob. > > > > >=20 > Actually, quite a few has attempted several times from the same IPs. I > figure if it gets to big, I'll just block the whole class. What do I > care if a whole country can't access my lil webserver? :) >=20 > Thanks for the comment. >=20 > Michael >=20 > -- > Michael D. Whities > uidzero@one-arm.com > http://www.one-arm.com >=20 > -- >=20 > There are four colors of hats to watch for:=20 > Black, White, Grey, and Red. >=20 > The meanings are:=20 > Cracker, Hacker, Guru, and Victim. >=20 > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to > "freebsd-questions-unsubscribe@freebsd.org" >=20 > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.o= rg" Hi, Q1 > Yes, you can add like /24 behind the ip-address to specify a range. Q2 > The best thing is to raise the number for each rule, when you later on= have to debug, you can delete for instance number 961 which will contain o= nly 1=20 line. IE if you give 5 rules the same number you will delete all 5 when you= type: ipfw delete 961 Mark. ----- End forwarded message ----- --gj572EiMnwbLXET9 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFBamoa9f1Rm+M/QwwRAodoAJ4rlKY56Pjli4hdGHaj/B2TMVJa/ACeI7O/ VgO1EogcmQfMdEVYv524/NA= =bOVZ -----END PGP SIGNATURE----- --gj572EiMnwbLXET9--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20041011111018.GB22646>