Date: Tue, 25 Jan 2005 10:31:36 +0100 From: Erik Norgaard <norgaard@locolomo.org> To: Christian Tischler <mail@myunix.net> Cc: FreeBSD Questions <freebsd-questions@freebsd.org> Subject: Re: Banning ips for some time? Message-ID: <41F611F8.9040803@locolomo.org> In-Reply-To: <41F60ECC.8050206@myunix.net> References: <41F60ECC.8050206@myunix.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Christian Tischler wrote: > as I have an DSL line witch is 24/7 online (coming from an big and > popular provider) my servers sshd reports 30 to 50 failed > root/operator/etc. logins a day. I would like to block the incoming ip > for a few days automaticly after e.g failed login requests. > Currently I am using ipf, but it would be no problem to use any other > FreeBSD firewall. > This is not only for security reasons, but also to shorten the daily > security run output :-) Q: Do you think that you will see new attempts from the same ip in one of the following days? A: Likely not the same ip - but posibly from the same block of ip's => won't help much to block specific ip's. Q: Do you consider it plausible that after a few days legitimate connections will originate from those ip's? A: Likely not, but if so, you have no way of predicting from which ip and when => if you need open access, then blocking temporary will block legitimate connections, if not, then opening again will open for ilegitimate connections. Q: Is your system more vulnerable after failed login attempts to non existent accounts? A: Your system will only be more vulnerable if you can assume the attacker will come back and continue from where he left off. But, changing passwords will not help, unless you choose something that has been tested and you know he will not test the same password twice. Conclusion: If you can setup fixed rules for where legitimate connections will originate, do so and block everything else. Otherwise, all attempts to improve security or shorten the security daily will fail. I have a script that may help you create country based rules: http://www.daemonsecurity.com/src/ip-rules.pl Cheers, Erik -- Ph: +34.666334818 web: http://www.locolomo.org S/MIME Certificate: http://www.locolomo.org/crt/2004071206.crt Subject ID: A9:76:7A:ED:06:95:2B:8D:48:97:CE:F2:3F:42:C8:F2:22:DE:4C:B9 Fingerprint: 4A:E8:63:38:46:F6:9A:5D:B4:DC:29:41:3F:62:D3:0A:73:25:67:C2
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?41F611F8.9040803>