From owner-freebsd-questions@FreeBSD.ORG Tue Jan 11 14:44:13 2005 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B059516A4CE for ; Tue, 11 Jan 2005 14:44:13 +0000 (GMT) Received: from barry.mail.mindspring.net (barry.mail.mindspring.net [207.69.200.25]) by mx1.FreeBSD.org (Postfix) with ESMTP id 78AE443D31 for ; Tue, 11 Jan 2005 14:44:13 +0000 (GMT) (envelope-from keebler@mindspring.com) Received: from user-11faknj.dsl.mindspring.com ([66.245.82.243] helo=[192.168.1.100]) by barry.mail.mindspring.net with esmtp (Exim 3.33 #1) id 1CoNFf-00074a-00; Tue, 11 Jan 2005 09:44:07 -0500 Message-ID: <41E3E5FA.4000808@mindspring.com> Date: Tue, 11 Jan 2005 09:43:06 -0500 From: Carleton Vaughn User-Agent: Mozilla Thunderbird 1.0 (Windows/20041206) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Ted Mittelstaedt References: In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit cc: freebsd-questions@freebsd.org Subject: Re: Blacklisting IPs X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Jan 2005 14:44:13 -0000 Ted Mittelstaedt wrote: > >>-----Original Message----- >>From: owner-freebsd-questions@freebsd.org >>[mailto:owner-freebsd-questions@freebsd.org]On Behalf Of Chris >>Sent: Monday, January 10, 2005 4:07 PM >>To: artware >>Cc: freebsd-questions@freebsd.org >>Subject: Re: Blacklisting IPs >> >> >>artware wrote: >> >>>Hello again, >>> >>>My 5.3R system has only been up a little over a week, and >> >>I've already >> >>>had a few breakin attempts -- they show up as Illegal user tests in >>>the /var/log/auth.log... It looks like they're trying common login >>>names (probably with the login name used as passwd). It takes them >>>hours to try a dozen names, but I'd rather not have any traffic from >>>these folks. Is there any way to blacklist IPs at the system >> >>level, or >> >>>do I have to hack something together for each daemon? >>> >>>- ben >>>_______________________________________________ >>>freebsd-questions@freebsd.org mailing list >>>http://lists.freebsd.org/mailman/listinfo/freebsd-questions >>>To unsubscribe, send any mail to >> >>"freebsd-questions-unsubscribe@freebsd.org" >> >>> >>Here's what I do - >> >>as root: route -nq add -host xxx.xxx.xxx.xxx 127.0.0.1 -blackhole >> >>To the attacker, it looks as if you dropped off the net. >> >> > > > This actually isn't the best advice since the incoming packets > from the attacker are still using up your bandwidth. > > It's best to report them and it's not hard to do it. There > are automated tools that will do it. As the CTO of an ISP > let me tell you that we get about 1 of those reports every > few months - that is how few people are reporting them - and > we look closely at every one of them. This isn't a situation > where the abuse departments of most ISP's are overflowing > with so many network abuse notifications that they aren't > interested in getting more of them. I've had these showing up in my auth.log since mid-December. Most of the time, my lookups have gone to domains registered in Elbonia and frankly I have my doubts about any administrators over there caring. The only Western abuse@ I found sent me an automated reply. I'm waiting to get one from Singapore---maybe I can get somebody caned... -- Carleton Vaughn College Park, Georgia, USA