Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 11 Oct 2004 07:32:36 -0500
From:      uidzero <uidzero@one-arm.com>
To:        Rob <spamrefuse@yahoo.com>
Cc:        freebsd-questions@freebsd.org
Subject:   Re: Adding network & IP to hosts.deny
Message-ID:  <416A7D64.4090702@one-arm.com>
In-Reply-To: <416A6CA0.1020306@yahoo.com>
References:  <!~!UENERkVCMDkAAQACAAAAAAAAAAAAAAAAABgAAAAAAAAArvdSa/sjb0OI1eLKLXuK1sKAAAAQAAAAnNdJfVuVREajW0jiKTPoYAEAAAAA@spd.nu> <416A5CF6.20508@one-arm.com> <416A6062.9080106@yahoo.com> <416A60A3.8060906@one-arm.com> <416A6CA0.1020306@yahoo.com>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
Rob wrote:

> uidzero wrote:
>
>> Rob wrote:
>>
>>> uidzero wrote:
>>>
>>>> Pelle Andersson wrote:
>>>>
>>>>> Hi!
>>>>>
>>>>> I have a lot of login attempts from various networks and IP addresses
>>>>> on my FBSD 4.10 server. I have read the man pages for hosts.deny but
>>>>> do not understand how to add networks and IP addresses to it.
>>>>>
>>>>
>>>> I use "/etc/rc.ipfw"...
>>>>
>>>>
>>>> ${fwcmd} add 300 deny IP from 24.19.0.105 to any
>>>> ${fwcmd} add 301 deny IP from 24.79.68.179 to any
>>>> ${fwcmd} add 400 deny IP from 61.100.180.125 to any
>>>> ${fwcmd} add 401 deny IP from 61.206.125.28 to any
>>>
>   [...snip...]
>
>>>> ${fwcmd} add 971 deny IP from 220.73.215.151 to any
>>>> ${fwcmd} add 980 deny IP from 221.3.131.80 to any
>>>> ${fwcmd} add 981 deny IP from 221.12.11.118 to any
>>>> ${fwcmd} add 982 deny IP from 222.56.118.124 to any
>>>
>>>
>>>
>>>
>>> I have attacks by similar IP numbers. However, I discovered
>>> that these IP numbers are used only once to attack my PC.
>>> Next attack will be from a different IP number. So adding the
>>> IP numbers to your list each time after an attack, will make
>>> your deny-list longer and longer, but won't make it more effective,
>>> since it doesn't protect you against the attackers next attempts.
>>>
>>> Unless, of course, someone is attacking again and again from the
>>> same IP number; but that is not what I observe.
>>>
>>> Rob.
>>>
>>>
>>
>> Actually, quite a few has attempted several times from the same IPs. 
>> I figure if it gets to big, I'll just block the whole class. What do 
>> I care if a whole country can't access my lil webserver? :)
>
>
> Have you bothered to monitor your rules with ipfw -dt show, or by adding
> a 'log' to your rules? That would give you a clue as to how effective
> your deny rules are.
>
> Rob.
>
>

I've added a few friends static IPs and they weren't able to get any of 
the services my system runs. So,noy only is ssh blocked, everything is 
blocked.

Michael

-- 
Michael D. Whities
uidzero@one-arm.com
http://www.one-arm.com

--

There are four colors of hats to watch for: 
Black, White, Grey, and Red.

The meanings are: 
Cracker, Hacker, Guru, and Victim.



Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?416A7D64.4090702>