From owner-freebsd-questions@FreeBSD.ORG  Tue Jan 11 16:40:15 2005
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 4002A16A4CE
	for <freebsd-questions@freebsd.org>;
	Tue, 11 Jan 2005 16:40:15 +0000 (GMT)
Received: from yggdrasil.interstroom.nl (yggdrasil.interstroom.nl
	[80.85.129.11])	by mx1.FreeBSD.org (Postfix) with ESMTP id 89B5C43D41
	for <freebsd-questions@freebsd.org>;
	Tue, 11 Jan 2005 16:40:14 +0000 (GMT)	(envelope-from o.greve@axis.nl)
Received: from ip127-180.introweb.nl ([80.65.127.180] helo=[192.168.1.30])
	by yggdrasil with asmtp (Exim 3.35 #1 (Debian))
	id 1CoP3b-0002sk-00; Tue, 11 Jan 2005 17:39:47 +0100
Message-ID: <41E40157.1090702@axis.nl>
Date: Tue, 11 Jan 2005 17:39:51 +0100
From: Olaf Greve <o.greve@axis.nl>
User-Agent: Mozilla Thunderbird 0.9 (Windows/20041103)
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: Ted Mittelstaedt <tedm@toybox.placo.com>
References: <LOBBIFDAGNMAMLGJJCKNAEAEFAAA.tedm@toybox.placo.com>
In-Reply-To: <LOBBIFDAGNMAMLGJJCKNAEAEFAAA.tedm@toybox.placo.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-MailScanner-Information: Interstroom virusscan, please e-mail
	helpdesk@interstroom.nl for more information
X-MailScanner-SpamCheck: 
cc: freebsd-questions@freebsd.org
Subject: Re: Blacklisting IPs
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 11 Jan 2005 16:40:15 -0000

Hi,

> It's best to report them and it's not hard to do it.  There
> are automated tools that will do it.

I would be very interested in setting up such a tool on my server as 
well. My passwords are not easy to guess, and root is not allowed to 
login anyways, and changes are extremely slim that someone will guess 
the one and only username/password combination that is actually allowed 
to SSH and to su -.

Nonetheless, I find it annoying that some kids with nothing better to do 
download these stupid brute force tools in order to call themselves 
hackers. Duh!

Therefore, I could well do without having 22,000 lines of failed 
attempts in my securityy logs (though as of late they haven't been that 
long), and I wouldn't mind reporting the critters to their ISPs.

Does anyone have a good suggestion for such a tool?

It would be cool if the tool could spot such brute force attempts, and 
when it sees e.g. more than 5 failed attempts from the same IP within 
say 5 minutes of time, it would blacklist the IP, and would 
automatically report the crack attempt to the ISP of the critters.

Anyone?

Cheerz!
Olafo