Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 18 Oct 2004 10:29:02 -0400
From:      Louis LeBlanc <FreeBSD@keyslapper.org>
To:        FBSD-Q <freebsd-questions@freebsd.org>
Subject:   Re: Are these attempts by password crackers??
Message-ID:  <20041018142902.GA4599@keyslapper.org>
In-Reply-To: <200410181447.15620.h@erathia.be>
References:  <20041018055122.GB35360@ns2.wananchi.com> <200410181447.15620.h@erathia.be>

next in thread | previous in thread | raw e-mail | index | archive | help
On 10/18/04 02:47 PM, h sat at the `puter and typed:
> trace the ip and file complain to their isp ?

$ whois 210.80.96.185

OrgName:    Asia Pacific Network Information Centre
OrgID:      APNIC
Address:    PO Box 2131
City:       Milton
StateProv:  QLD
PostalCode: 4064
Country:    AU

ReferralServer: whois://whois.apnic.net

NetRange:   210.0.0.0 - 211.255.255.255
CIDR:       210.0.0.0/7
NetName:    APNIC-CIDR-BLK2
NetHandle:  NET-210-0-0-0-1

. . .

Don't even bother when it's an Asian network.

I just add the CIDR to my firewall and lop off a chunk of Asia each time
this happens.  I think I've got most of it killed at this point.

Of course, this is a bit excessive, and many people won't be able to
function this way.  I, OTOH, have no direct dealings with Asia at this
point, and don't have a problem shutting the door to these networks for
the time being.

For most countries, I generally try to make a complaint.  If I think I
might even remotely wish to surf there, I avoid the blockade.

As with any excessive method, I tend to cycle them out at some point.
If the problem returns, I cycle it back in.  At some point, I may have
to take out these blockades and deal with the attempts more directly,
but not now.  Maybe someday it will be easier to have action taken in
these cases.

One more thing that might be worth trying, block out all users that
should not be able to log in from outside.

I have several that may log in from my internal network, but not from
outside.  This is done in login.access as follows:

-:user1 user2 user3:ALL EXCEPT LOCAL .mydomain.org

This removes access (-) for the given users (user1, user2, user3) from
all locations except the local machine and any machine recognized as a
mydomain.org system (like rainbow.mydomain.org).

That basically ensures these hackers won't have a larger access pool to
try to find.  The fewer users that can actually log in from external
networks, the harder it will be for them to find one they can try to
brute force.

Of course, the neat thing about this is FreeBSD will never tell them
whether they have a real id or not anyway . . .

Lou
-- 
Louis LeBlanc               FreeBSD@keyslapper.org
Fully Funded Hobbyist, KeySlapper Extrordinaire :)
http://www.keyslapper.org                     ԿԬ

Mark's Dental-Chair Discovery:
  Dentists are incapable of asking questions that require a
  simple yes or no answer.



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20041018142902.GA4599>