From owner-freebsd-questions@FreeBSD.ORG Sat Nov 29 20:47:38 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 48D3C1065672 for ; Sat, 29 Nov 2008 20:47:38 +0000 (UTC) (envelope-from eagletree@hughes.net) Received: from smtprelay.b.hostedemail.com (smtprelay0048.b.hostedemail.com [64.98.42.48]) by mx1.freebsd.org (Postfix) with ESMTP id 06BEF8FC0A for ; Sat, 29 Nov 2008 20:47:37 +0000 (UTC) (envelope-from eagletree@hughes.net) Received: from filter.hostedemail.com (b-bigip1 [10.5.19.254]) by smtprelay04.b.hostedemail.com (Postfix) with SMTP id 79D2056000DF for ; Sat, 29 Nov 2008 20:47:36 +0000 (UTC) X-SpamScore: 1 X-Spam-Summary: 2, 0, 0, 94a0cc6d40a3f26b, 944facfeb153b4f0, eagletree@hughes.net, freebsd-questions@freebsd.org, RULES_HIT:355:379:541:564:599:601:945:966:967:973:980:988:989:1260:1261:1277:1311:1313:1314:1345:1359:1437:1515:1516:1518:1534:1541:1593:1594:1711:1730:1747:1766:1792:2196:2199:2393:2525:2553:2559:2563:2682:2685:2693:2857:2859:2933:2937:2939:2942:2945:2947:2951:2954:3022:3027:3354:3636:3865:3866:3867:3868:3869:3870:3871:3872:3873:3874:3876:3877:3934:3936:3938:3941:3944:3947:3950:3953:3956:3959:4250:4385:4860:5007:6114:6119:7652:7679:7903:8501:9010:9025:9038:9388, 0, RBL:none, CacheIP:none, Bayesian:0.5, 0.5, 0.5, Netcheck:none, DomainCache:0, MSF:not bulk, SPF:, MSBL:none, DNSBL:none Received: from [192.168.0.3] (dpc6744118153.direcpc.com [67.44.118.153]) (Authenticated sender: eagletree@hughes.net) by omf11.b.hostedemail.com (Postfix) with ESMTP for ; Sat, 29 Nov 2008 20:47:30 +0000 (UTC) Mime-Version: 1.0 (Apple Message framework v753) In-Reply-To: <49319A83.6050407@webrz.net> References: <49319A83.6050407@webrz.net> Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed Message-Id: <22771067-1635-4C00-A0EB-4E14569F636C@hughes.net> Content-Transfer-Encoding: 7bit From: Chris Date: Sat, 29 Nov 2008 12:47:24 -0800 To: FreeBSD-Questions Questions X-Mailer: Apple Mail (2.753) X-session-marker: 6561676C6574726565406875676865732E6E6574 Subject: Re: Temporarily blocking ports X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 29 Nov 2008 20:47:38 -0000 On Nov 29, 2008, at 11:39 AM, Jos Chrispijn wrote: > Can someone hint me how I can block ports for let's say 30 minutes > if someone repeatedly tries to do a SSH login? > I use ipfw as firewall... > If you mean the statement as entered while you are watching, something like: ipfw add 0922 deny tcp from nn.nn.nn.nn to me dst-port 22 where 922 is some line prior to your normal allow statements for ssh nn.nn.nn.nn is the address you'd prefer to block. If you mean an automated way, put this in a perl program, sleep for 30 minutes and then do a ipfw delete 0922. Your program will need to run as root of course. Doing things like this tends to be risky if you aren't careful. If you don't have anti-spoofing and perhaps even some careful whitelisting rules, depending on how you identify an attack, schemes such as this can be turned against you once you automate it. I think a better way is to allow only ip addresses you want to connect on ssh to start a session with setup keep-state and then include a specific deny for all ssh connections following that statement. If you have connections coming in from certain nets but dynamically assigned addresses, only allow those ranges and block all others. That will dramatically reduce the audience of casual brute force attackers. An even tighter practice is to turn off all password logins and use only keyed connections. This is easier than it might seem though I'll admit I think of ssh as something only a select number of users may use and thus you know them by name and what IPs they are permitted to connect on. > regards, > Jos Chrispijn > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions- > unsubscribe@freebsd.org" >