Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 21 Mar 2010 02:33:42 +0100
From:      Erik Norgaard <norgaard@locolomo.org>
To:        freebsd-questions@freebsd.org
Subject:   Re: bruteforce protection howto
Message-ID:  <4BA57776.8020404@locolomo.org>
In-Reply-To: <1269123444.32263.53.camel@ubuntu>
References:  <1269123444.32263.53.camel@ubuntu>

next in thread | previous in thread | raw e-mail | index | archive | help
On 20/03/10 23:17, Vadkan Jozsef wrote:

> What's the best method to ban that ip [what is bruteforcig a server]
> what was logged on the logger?
> I need to ban the ip on the router pc.

Take your time to think about if this is indeed the right solution.

1st: You need to decide which is the right policy to deploy. Basically 
you can opt for a default deny or a default allow. With default deny you 
create white lists for the exceptions that should be allows. With 
default allow you create black lists. Default deny and default allow 
roughly corresponds to the policies of OpenBSD vs. Microsoft Windows.

So, when is white listing an option? When you have a limited set of 
exceptions, for example your local users that need ssh access. If this 
set is limited consider deploying default deny. On the other hand, this 
is not an option for your web service that you wish to provide for 
anyone anywhere.

Blacklisting is futile (think, did anti-virus solve the virus problem?). 
Intruders may attempt to connect from anywhere, blocking a single IP 
won't solve your problem, most likely the next attempt will not come 
from that IP. This is because these attacks may be launched from a 
number of compromised pc's and because the attacking pc may have 
dynamically assigned address. So you need to block entire ranges, but 
which?

I recently analysed my maillog to see where attempted spammers connected 
from. I found some 3500 hosts in 1600 ranges (using whois lookup). These 
ranges being typically /16. I haven't tried with ssh but I doubt it 
would be much different.

If on top of this you make some auto-respond system, you expose yourself 
to a denial of service attack, blindly blocking anything that creates a 
log entry.

Whether you use white or black listing this is effective only if you can 
make informed decisions. If you don't do business with say China and you 
know that 25% of all spam originates from China, it is only rational to 
block access from China.

But, whenever possible, use white listing.

BR, Erik

-- 
Erik Nørgaard
Ph: +34.666334818/+34.915211157                  http://www.locolomo.org



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4BA57776.8020404>