Date: Mon, 10 Jan 2005 23:20:16 -0800 From: "Ted Mittelstaedt" <tedm@toybox.placo.com> To: "Chris" <racerx@makeworld.com>, "artware" <artware@gmail.com> Cc: freebsd-questions@freebsd.org Subject: RE: Blacklisting IPs Message-ID: <LOBBIFDAGNMAMLGJJCKNAEAEFAAA.tedm@toybox.placo.com> In-Reply-To: <41E318B2.3020108@makeworld.com>
next in thread | previous in thread | raw e-mail | index | archive | help
> -----Original Message----- > From: owner-freebsd-questions@freebsd.org > [mailto:owner-freebsd-questions@freebsd.org]On Behalf Of Chris > Sent: Monday, January 10, 2005 4:07 PM > To: artware > Cc: freebsd-questions@freebsd.org > Subject: Re: Blacklisting IPs > > > artware wrote: > > Hello again, > > > > My 5.3R system has only been up a little over a week, and > I've already > > had a few breakin attempts -- they show up as Illegal user tests in > > the /var/log/auth.log... It looks like they're trying common login > > names (probably with the login name used as passwd). It takes them > > hours to try a dozen names, but I'd rather not have any traffic from > > these folks. Is there any way to blacklist IPs at the system > level, or > > do I have to hack something together for each daemon? > > > > - ben > > _______________________________________________ > > freebsd-questions@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > > To unsubscribe, send any mail to > "freebsd-questions-unsubscribe@freebsd.org" > > > > > > Here's what I do - > > as root: route -nq add -host xxx.xxx.xxx.xxx 127.0.0.1 -blackhole > > To the attacker, it looks as if you dropped off the net. > > This actually isn't the best advice since the incoming packets from the attacker are still using up your bandwidth. It's best to report them and it's not hard to do it. There are automated tools that will do it. As the CTO of an ISP let me tell you that we get about 1 of those reports every few months - that is how few people are reporting them - and we look closely at every one of them. This isn't a situation where the abuse departments of most ISP's are overflowing with so many network abuse notifications that they aren't interested in getting more of them. Now spam notifications - that's a different issue - few people reporting spam know how to do it properly nor how to figure out where to correctly report them, with the unfortunate result that they are quickly becoming useless. Only about 1 in 400 spam notifications I get a week nowadays are even indicating spam coming from our IP range, let alone indicating bona-fied spam. Going after wannabes that are using our service to try breaking into other computers is one of the enjoyable parts of my job, to be honest. It's a lot more fun then sending out form e-mails to spam reports saying some polite variation of "look at the source IP number that spam orginated from not the domain name, dumbass" Ted
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?LOBBIFDAGNMAMLGJJCKNAEAEFAAA.tedm>