Date: Mon, 08 Mar 2010 23:11:35 +0100 From: Erik Norgaard <norgaard@locolomo.org> To: freebsd-questions@freebsd.org Subject: Re: Thousands of ssh probes Message-ID: <4B957617.9080000@locolomo.org> In-Reply-To: <970380131003080956u375be282wd5e5e4445841146f@mail.gmail.com> References: <20100305125446.GA14774@elwood.starfire.mn.org> <4B91B36D.1020507@locolomo.org> <20100307204114.GK16274@mail2.dcoder.net> <4B942D4B.6070407@locolomo.org> <970380131003080956u375be282wd5e5e4445841146f@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 08/03/10 18:56, Jason Garrett wrote: >> Much better, restrict the client access to certain ranges of IPs. The >> different registries publish ip ranges assigned per country and you can >> create a list blocking countries you are certain not to visit, you can use >> my script: >> >> http://www.locolomo.org/pub/src/toolbox/inet.pl >> > Great script! Just one question. Where do you put the list of denied ip > ranges? The output is written to be used with packet filter, if you use some other firewall you may need edit the script. If you use packet filter, then you can dump the list into a file and create tables like this: table <blacklist> persist file "/etc/blacklist" block in quick from <blacklist> I use blacklisting for mail while I use whitelisting for ssh. You should know the limits of the script, the problem is that some ranges have been assigned directly by IANA, particularly for US. These are not included. The list is limited as these are all /8 chunks, you can find it here: http://www.iana.org/assignments/ipv4-address-space/ipv4-address-space.xml These ranges are managed by private organisations and assigned as they see fit. There is another thing I'd like to filter by: I'd like to eliminate dynamic ranges, particularly for mail. It's been recommended that reverse lookup resolves to something like dyn.example.com or dynamic.example.com, but there is no registry where you can simply look it up. BR, Erik -- Erik Nørgaard Ph: +34.666334818/+34.915211157 http://www.locolomo.org
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4B957617.9080000>