Date: Tue, 11 Jan 2005 09:43:06 -0500 From: Carleton Vaughn <keebler@mindspring.com> To: Ted Mittelstaedt <tedm@toybox.placo.com> Cc: freebsd-questions@freebsd.org Subject: Re: Blacklisting IPs Message-ID: <41E3E5FA.4000808@mindspring.com> In-Reply-To: <LOBBIFDAGNMAMLGJJCKNAEAEFAAA.tedm@toybox.placo.com> References: <LOBBIFDAGNMAMLGJJCKNAEAEFAAA.tedm@toybox.placo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Ted Mittelstaedt wrote: > >>-----Original Message----- >>From: owner-freebsd-questions@freebsd.org >>[mailto:owner-freebsd-questions@freebsd.org]On Behalf Of Chris >>Sent: Monday, January 10, 2005 4:07 PM >>To: artware >>Cc: freebsd-questions@freebsd.org >>Subject: Re: Blacklisting IPs >> >> >>artware wrote: >> >>>Hello again, >>> >>>My 5.3R system has only been up a little over a week, and >> >>I've already >> >>>had a few breakin attempts -- they show up as Illegal user tests in >>>the /var/log/auth.log... It looks like they're trying common login >>>names (probably with the login name used as passwd). It takes them >>>hours to try a dozen names, but I'd rather not have any traffic from >>>these folks. Is there any way to blacklist IPs at the system >> >>level, or >> >>>do I have to hack something together for each daemon? >>> >>>- ben >>>_______________________________________________ >>>freebsd-questions@freebsd.org mailing list >>>http://lists.freebsd.org/mailman/listinfo/freebsd-questions >>>To unsubscribe, send any mail to >> >>"freebsd-questions-unsubscribe@freebsd.org" >> >>> >>Here's what I do - >> >>as root: route -nq add -host xxx.xxx.xxx.xxx 127.0.0.1 -blackhole >> >>To the attacker, it looks as if you dropped off the net. >> >> > > > This actually isn't the best advice since the incoming packets > from the attacker are still using up your bandwidth. > > It's best to report them and it's not hard to do it. There > are automated tools that will do it. As the CTO of an ISP > let me tell you that we get about 1 of those reports every > few months - that is how few people are reporting them - and > we look closely at every one of them. This isn't a situation > where the abuse departments of most ISP's are overflowing > with so many network abuse notifications that they aren't > interested in getting more of them. I've had these showing up in my auth.log since mid-December. Most of the time, my lookups have gone to domains registered in Elbonia and frankly I have my doubts about any administrators over there caring. The only Western abuse@ I found sent me an automated reply. I'm waiting to get one from Singapore---maybe I can get somebody caned... -- Carleton Vaughn College Park, Georgia, USA
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?41E3E5FA.4000808>