From owner-freebsd-questions@FreeBSD.ORG Wed Aug 24 15:45:53 2005 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AAFB516A41F for ; Wed, 24 Aug 2005 15:45:53 +0000 (GMT) (envelope-from gayn.winters@bristolsystems.com) Received: from bristolsystems.com (h-68-167-239-98.lsanca54.covad.net [68.167.239.98]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5AAF043D45 for ; Wed, 24 Aug 2005 15:45:53 +0000 (GMT) (envelope-from gayn.winters@bristolsystems.com) Received: from workdog ([192.168.1.201]) by bristolsystems.com (8.11.6/8.11.6) with ESMTP id j7OFjqn30811; Wed, 24 Aug 2005 08:45:52 -0700 From: "Gayn Winters" To: "'Michael Dale'" , "'Hornet'" Date: Wed, 24 Aug 2005 08:45:46 -0700 Message-ID: <03a601c5a8c2$e5d042c0$c901a8c0@workdog> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.4024 In-Reply-To: <430C5CAC.4050705@dalegroup.net> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 Importance: Normal Cc: 'ro ro' , freebsd-questions@freebsd.org Subject: RE: Illegal access attempt - FreeBSD 5.4 Release - please advise X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: gayn.winters@bristolsystems.com List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Aug 2005 15:45:53 -0000 > -----Original Message----- > From: owner-freebsd-questions@freebsd.org > [mailto:owner-freebsd-questions@freebsd.org] On Behalf Of Michael Dale > Sent: Wednesday, August 24, 2005 4:40 AM > To: Hornet > Cc: ro ro; freebsd-questions@freebsd.org > Subject: Re: Illegal access attempt - FreeBSD 5.4 Release - > please advise > > > >Also, most if not all of the blocks below are Asia netblocks that I > >have had more then 3 attempts to gain access to my servers. > > > >220.0.0.0/8 > >202.0.0.0/7 > >134.208.0.0/16 > >218.0.0.0/8 > >210.0.0.0/7 > >221.0.0.0/8 > >219.0.0.0/8 > >195.116.0.0/16 > >59.0.0.0/8 > >195.133.91.0/24 > >222.0.0.0/8 > > > > > > > Not always a good idea. A lot of Australian users have been having > issues because of people doing this. More info here: > http://forums.whirlpool.net.au/forum-replies.cfm?t=324246#r2 > Such automated blocking is becoming common in the better Intrusion Detection Systems, which talk to their associated firewalls. If you are creating what is effectively a simple IDS, here are a couple thoughts: First, blocking reserved areas of the IP space seems a little different than fighting malicious hackers and spammers, but in either case, see (ii) below. Second, if someone legitimate is being blocked, they'll probably call you. You can put an earlier rule in the firewall to let them in. If you are running an ecommerce site, you might not want to block half the world; invest in a more powerful firewall/IDS combination. See (iii) below. Third, if you are automating the creation of your blocks (a good idea) then you could also do the following: (i) create blocks as narrow as possible given the attacks. First block the IP address, then if several nearby addresses attack, block that subnet, etc. (ii) allow the blocks to time-out after a while (as many IDS blocks do). If (i) turns them back on, then increase the length of the time-out. (iii) review your blocks every now and then either by reviewing your firewall logs or by having your (perl?) program check if (ii) turns off a block only to have (i) turn it on again of if it never cycles. BTW, our firewall blocks so many attacks per minute that its multi-colored console display is better than a soap opera! -gayn