Date: Mon, 11 Oct 2004 07:32:36 -0500 From: uidzero <uidzero@one-arm.com> To: Rob <spamrefuse@yahoo.com> Cc: freebsd-questions@freebsd.org Subject: Re: Adding network & IP to hosts.deny Message-ID: <416A7D64.4090702@one-arm.com> In-Reply-To: <416A6CA0.1020306@yahoo.com> References: <!~!UENERkVCMDkAAQACAAAAAAAAAAAAAAAAABgAAAAAAAAArvdSa/sjb0OI1eLKLXuK1sKAAAAQAAAAnNdJfVuVREajW0jiKTPoYAEAAAAA@spd.nu> <416A5CF6.20508@one-arm.com> <416A6062.9080106@yahoo.com> <416A60A3.8060906@one-arm.com> <416A6CA0.1020306@yahoo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Rob wrote:
> uidzero wrote:
>
>> Rob wrote:
>>
>>> uidzero wrote:
>>>
>>>> Pelle Andersson wrote:
>>>>
>>>>> Hi!
>>>>>
>>>>> I have a lot of login attempts from various networks and IP addresses
>>>>> on my FBSD 4.10 server. I have read the man pages for hosts.deny but
>>>>> do not understand how to add networks and IP addresses to it.
>>>>>
>>>>
>>>> I use "/etc/rc.ipfw"...
>>>>
>>>>
>>>> ${fwcmd} add 300 deny IP from 24.19.0.105 to any
>>>> ${fwcmd} add 301 deny IP from 24.79.68.179 to any
>>>> ${fwcmd} add 400 deny IP from 61.100.180.125 to any
>>>> ${fwcmd} add 401 deny IP from 61.206.125.28 to any
>>>
> [...snip...]
>
>>>> ${fwcmd} add 971 deny IP from 220.73.215.151 to any
>>>> ${fwcmd} add 980 deny IP from 221.3.131.80 to any
>>>> ${fwcmd} add 981 deny IP from 221.12.11.118 to any
>>>> ${fwcmd} add 982 deny IP from 222.56.118.124 to any
>>>
>>>
>>>
>>>
>>> I have attacks by similar IP numbers. However, I discovered
>>> that these IP numbers are used only once to attack my PC.
>>> Next attack will be from a different IP number. So adding the
>>> IP numbers to your list each time after an attack, will make
>>> your deny-list longer and longer, but won't make it more effective,
>>> since it doesn't protect you against the attackers next attempts.
>>>
>>> Unless, of course, someone is attacking again and again from the
>>> same IP number; but that is not what I observe.
>>>
>>> Rob.
>>>
>>>
>>
>> Actually, quite a few has attempted several times from the same IPs.
>> I figure if it gets to big, I'll just block the whole class. What do
>> I care if a whole country can't access my lil webserver? :)
>
>
> Have you bothered to monitor your rules with ipfw -dt show, or by adding
> a 'log' to your rules? That would give you a clue as to how effective
> your deny rules are.
>
> Rob.
>
>
I've added a few friends static IPs and they weren't able to get any of
the services my system runs. So,noy only is ssh blocked, everything is
blocked.
Michael
--
Michael D. Whities
uidzero@one-arm.com
http://www.one-arm.com
--
There are four colors of hats to watch for:
Black, White, Grey, and Red.
The meanings are:
Cracker, Hacker, Guru, and Victim.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?416A7D64.4090702>