Date: Sat, 29 Nov 2008 12:47:24 -0800 From: Chris <eagletree@hughes.net> To: FreeBSD-Questions Questions <freebsd-questions@freebsd.org> Subject: Re: Temporarily blocking ports Message-ID: <22771067-1635-4C00-A0EB-4E14569F636C@hughes.net> In-Reply-To: <49319A83.6050407@webrz.net> References: <49319A83.6050407@webrz.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Nov 29, 2008, at 11:39 AM, Jos Chrispijn wrote: > Can someone hint me how I can block ports for let's say 30 minutes > if someone repeatedly tries to do a SSH login? > I use ipfw as firewall... > If you mean the statement as entered while you are watching, something like: ipfw add 0922 deny tcp from nn.nn.nn.nn to me dst-port 22 where 922 is some line prior to your normal allow statements for ssh nn.nn.nn.nn is the address you'd prefer to block. If you mean an automated way, put this in a perl program, sleep for 30 minutes and then do a ipfw delete 0922. Your program will need to run as root of course. Doing things like this tends to be risky if you aren't careful. If you don't have anti-spoofing and perhaps even some careful whitelisting rules, depending on how you identify an attack, schemes such as this can be turned against you once you automate it. I think a better way is to allow only ip addresses you want to connect on ssh to start a session with setup keep-state and then include a specific deny for all ssh connections following that statement. If you have connections coming in from certain nets but dynamically assigned addresses, only allow those ranges and block all others. That will dramatically reduce the audience of casual brute force attackers. An even tighter practice is to turn off all password logins and use only keyed connections. This is easier than it might seem though I'll admit I think of ssh as something only a select number of users may use and thus you know them by name and what IPs they are permitted to connect on. > regards, > Jos Chrispijn > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions- > unsubscribe@freebsd.org" >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?22771067-1635-4C00-A0EB-4E14569F636C>