Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 4 Dec 2008 02:53:57 +0000
From:      "Daniel Bye" <danielby@slightlystrange.org>
To:        FreeBSD Questions <freebsd-questions@freebsd.org>
Subject:   Re: Firewalls using a DNSbl (and distributed ssh attacks)
Message-ID:  <20081204025357.GD19575@torus.slightlystrange.org>
In-Reply-To: <D6D13508-3ED2-4DF3-ACF4-F09EB64784E3@goldmark.org>
References:  <D6D13508-3ED2-4DF3-ACF4-F09EB64784E3@goldmark.org>
next in thread | previous in thread | raw e-mail | index | archive | help 

--10jrOL3x2xqLmOsH
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Wed, Dec 03, 2008 at 07:43:26PM -0600, Jeffrey Goldberg wrote:
> It's not a big issue, but I'm wondering if there is a DNSBl that lists =
=20
> IPs that are engaging in brute force ssh attacks.  And if there is =20
> such a list, is there a way to integrate that information into a =20
> firewall or sshd.
>=20
> As I've said this really isn't a big issue for me, as the brute force =20
> attempts at sshd are nothing but an annoyance as I review logs.
>=20
> The attacks that I'm seeing appear to be coordinated and distributed.  =
=20
> That is, there will be one attempt on username "fred" from one IP =20
> immediately followed by an attempt on "freddy" from another IP =20
> followed by an attempt on "fredrick" from a third source and so on.

I don't know of any DNSbl type service, but I am using DenyHosts with
very great success. Its synchronisation feature allows participating
instances of the script to share IP addresses of misbehaving hosts,
so as soon as an address hits the database, it's only a matter of an
hour or so before your instance can start blocking it.

The basic setup uses TCP wrappers to block offending hosts, but I am
using the datafile it maintains as a file-based table in pf, which I
reload periodically from a cronjob.

Dan

--=20
Daniel Bye
                                                                     _
                                              ASCII ribbon campaign ( )
                                         - against HTML, vCards and  X
                                - proprietary attachments in e-mail / \

--10jrOL3x2xqLmOsH
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (FreeBSD)

iEYEARECAAYFAkk3RkUACgkQixf5fBYiFmonhgCgslPAyIXD1ARigWJnB5x2PBZO
BoEAmgPejzMk4uNU1qPnRkaaSn4eAfku
=6/K7
-----END PGP SIGNATURE-----

--10jrOL3x2xqLmOsH--

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20081204025357.GD19575>