From owner-freebsd-questions@FreeBSD.ORG Mon Oct 11 11:21:10 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5E0D016A4CE for ; Mon, 11 Oct 2004 11:21:10 +0000 (GMT) Received: from auk2.snu.ac.kr (auk2.snu.ac.kr [147.46.100.32]) by mx1.FreeBSD.org (Postfix) with ESMTP id C6C5C43D2F for ; Mon, 11 Oct 2004 11:21:09 +0000 (GMT) (envelope-from spamrefuse@yahoo.com) Received: from [147.46.44.181] (spamrefuse@yahoo.com) by auk2.snu.ac.kr (Terrace Internet Messaging Server) with ESMTP id 2004101120:20:49:485216.16005.2691992496 for ; Mon, 11 Oct 2004 20:20:49 +0900 (KST) Message-ID: <416A6CA0.1020306@yahoo.com> Date: Mon, 11 Oct 2004 20:21:04 +0900 From: Rob User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.7.2) Gecko/20041002 X-Accept-Language: en-us, en MIME-Version: 1.0 To: uidzero , freebsd-questions@freebsd.org References: <416A5CF6.20508@one-arm.com> <416A6062.9080106@yahoo.com> <416A60A3.8060906@one-arm.com> In-Reply-To: <416A60A3.8060906@one-arm.com> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-TERRACE-SPAMMARK: YES-__TRSYS_LV__3 (SR:-3.16) (SRN:SPAMROBOT) ----------------- Subject: Re: Adding network & IP to hosts.deny X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 11 Oct 2004 11:21:10 -0000 uidzero wrote: > Rob wrote: > >> uidzero wrote: >> >>> Pelle Andersson wrote: >>> >>>> Hi! >>>> >>>> I have a lot of login attempts from various networks and IP addresses >>>> on my FBSD 4.10 server. I have read the man pages for hosts.deny but >>>> do not understand how to add networks and IP addresses to it. >>>> >>> >>> I use "/etc/rc.ipfw"... >>> >>> >>> ${fwcmd} add 300 deny IP from 24.19.0.105 to any >>> ${fwcmd} add 301 deny IP from 24.79.68.179 to any >>> ${fwcmd} add 400 deny IP from 61.100.180.125 to any >>> ${fwcmd} add 401 deny IP from 61.206.125.28 to any [...snip...] >>> ${fwcmd} add 971 deny IP from 220.73.215.151 to any >>> ${fwcmd} add 980 deny IP from 221.3.131.80 to any >>> ${fwcmd} add 981 deny IP from 221.12.11.118 to any >>> ${fwcmd} add 982 deny IP from 222.56.118.124 to any >> >> >> >> I have attacks by similar IP numbers. However, I discovered >> that these IP numbers are used only once to attack my PC. >> Next attack will be from a different IP number. So adding the >> IP numbers to your list each time after an attack, will make >> your deny-list longer and longer, but won't make it more effective, >> since it doesn't protect you against the attackers next attempts. >> >> Unless, of course, someone is attacking again and again from the >> same IP number; but that is not what I observe. >> >> Rob. >> >> > > Actually, quite a few has attempted several times from the same IPs. I > figure if it gets to big, I'll just block the whole class. What do I > care if a whole country can't access my lil webserver? :) Have you bothered to monitor your rules with ipfw -dt show, or by adding a 'log' to your rules? That would give you a clue as to how effective your deny rules are. Rob.