From owner-freebsd-questions@FreeBSD.ORG  Mon Jan 10 21:31:21 2005
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 0DF3016A4CE
	for <freebsd-questions@freebsd.org>;
	Mon, 10 Jan 2005 21:31:21 +0000 (GMT)
Received: from mci-mail.nodes.net.ad-flow.com (mci-mail.nodes.net.ad-flow.com
	[66.48.68.70])	by mx1.FreeBSD.org (Postfix) with ESMTP id 7514643D45
	for <freebsd-questions@freebsd.org>;
	Mon, 10 Jan 2005 21:31:20 +0000 (GMT)
	(envelope-from freebsd@danielquinn.org)
Received: from douglas ([66.59.162.146])	(authenticated)j0ALS5d04749
	for <freebsd-questions@freebsd.org>; Mon, 10 Jan 2005 21:28:05 GMT
Exocomm-Delivery-Date: Mon, 10 Jan 2005 21:28:05 GMT
Exocomm-URL: www.exocomm.com
From: daniel quinn <freebsd@danielquinn.org>
To: freebsd-questions@freebsd.org
Date: Mon, 10 Jan 2005 16:30:07 -0500
User-Agent: KMail/1.7.2
References: <20050110035717.27062.qmail@web41008.mail.yahoo.com>
	<fd091951050109222052228399@mail.gmail.com>
In-Reply-To: <fd091951050109222052228399@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain;
  charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Message-Id: <200501101630.08020.freebsd@danielquinn.org>
Subject: Re: Blacklisting IPs
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 10 Jan 2005 21:31:21 -0000

On January 10, 2005 01:20 am, artware wrote:
> My 5.3R system has only been up a little over a week, and I've already
> had a few breakin attempts -- they show up as Illegal user tests in
> the /var/log/auth.log... It looks like they're trying common login
> names (probably with the login name used as passwd). It takes them
> hours to try a dozen names, but I'd rather not have any traffic from
> these folks. Is there any way to blacklist IPs at the system level, or
> do I have to hack something together for each daemon?

i have three suggestions for this:

 1) edit sshd_config to set PermitRootLogin to "no".  since root is the only 
user on your system that obviously exists elsewhere, this is a nice start

 2) setup sshd to allow connections with keys only.  then go buy yourself a 
usb key and keep your private key on there when you connect.

 3) use a port-knocking daemon:
    http://www.portknocking.org/
    http://www.zeroflux.org/knock/

-- 
those who say it cannot be done
should not interrupt the person doing it
  - unknown