From owner-freebsd-questions@FreeBSD.ORG Tue Jan 25 09:31:42 2005 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 488A616A4CE for ; Tue, 25 Jan 2005 09:31:42 +0000 (GMT) Received: from top.daemonsecurity.com (FW-182-254.go.retevision.es [62.174.254.182]) by mx1.FreeBSD.org (Postfix) with ESMTP id ADCA743D1D for ; Tue, 25 Jan 2005 09:31:41 +0000 (GMT) (envelope-from norgaard@locolomo.org) Received: from [IPv6???1] (localhost.daemonsecurity.com [127.0.0.1]) by top.daemonsecurity.com (Postfix) with ESMTP id 27F4CFD021; Tue, 25 Jan 2005 10:31:40 +0100 (CET) Message-ID: <41F611F8.9040803@locolomo.org> Date: Tue, 25 Jan 2005 10:31:36 +0100 From: Erik Norgaard User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.7.2) Gecko/20041114 X-Accept-Language: en, en-us, da, it, es MIME-Version: 1.0 To: Christian Tischler References: <41F60ECC.8050206@myunix.net> In-Reply-To: <41F60ECC.8050206@myunix.net> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit cc: FreeBSD Questions Subject: Re: Banning ips for some time? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Jan 2005 09:31:42 -0000 Christian Tischler wrote: > as I have an DSL line witch is 24/7 online (coming from an big and > popular provider) my servers sshd reports 30 to 50 failed > root/operator/etc. logins a day. I would like to block the incoming ip > for a few days automaticly after e.g failed login requests. > Currently I am using ipf, but it would be no problem to use any other > FreeBSD firewall. > This is not only for security reasons, but also to shorten the daily > security run output :-) Q: Do you think that you will see new attempts from the same ip in one of the following days? A: Likely not the same ip - but posibly from the same block of ip's => won't help much to block specific ip's. Q: Do you consider it plausible that after a few days legitimate connections will originate from those ip's? A: Likely not, but if so, you have no way of predicting from which ip and when => if you need open access, then blocking temporary will block legitimate connections, if not, then opening again will open for ilegitimate connections. Q: Is your system more vulnerable after failed login attempts to non existent accounts? A: Your system will only be more vulnerable if you can assume the attacker will come back and continue from where he left off. But, changing passwords will not help, unless you choose something that has been tested and you know he will not test the same password twice. Conclusion: If you can setup fixed rules for where legitimate connections will originate, do so and block everything else. Otherwise, all attempts to improve security or shorten the security daily will fail. I have a script that may help you create country based rules: http://www.daemonsecurity.com/src/ip-rules.pl Cheers, Erik -- Ph: +34.666334818 web: http://www.locolomo.org S/MIME Certificate: http://www.locolomo.org/crt/2004071206.crt Subject ID: A9:76:7A:ED:06:95:2B:8D:48:97:CE:F2:3F:42:C8:F2:22:DE:4C:B9 Fingerprint: 4A:E8:63:38:46:F6:9A:5D:B4:DC:29:41:3F:62:D3:0A:73:25:67:C2