Date: Mon, 18 Jul 2005 13:21:02 +0200 (CEST) From: Oliver Fromme <olli@lurza.secnetix.de> To: freebsd-ipfw@FreeBSD.ORG Subject: Re: Trying to understand dynamic rules Message-ID: <200507181121.j6IBL277008546@lurza.secnetix.de> In-Reply-To: <20050717190755.Q13035@zoraida.natserv.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Francisco Reyes <lists@natserv.com> wrote: > Basically I keep track of attempts to connect to the SSH port. Any IP that > tries to connect using a non existing user numerous times I run a script > and blackhole the IP. That's probably OK, because the source IP cannot easily be spoofed in that case. But ... > What I would like was if IPFW would see numerous attempts to connect to > SSH from the same IP and automatically create a rule to not allow that IP > to connect at all to my machine. Is this possible? It's possible, but it's probably _not_ a good idea, because an attacker can easily perform a denial-of-service attack against your machine. For example, he can make several connection attempts to your machine, using -- say -- the IP addresses of your DNS servers as source IPs (or any other address that might be important to you). Then you would blackhole your own DNS servers. I recommend that you just ignore such attempts. If your filter rules are OK and your ssh configuration is OK (and your passwords are OK, _if_ you allow password authenti- cation), then there's no reason to worry. If any of those are not OK, then fix them first, because blackholing IPs won't save you anyway. Best regards Oliver -- Oliver Fromme, secnetix GmbH & Co KG, Marktplatz 29, 85567 Grafing Any opinions expressed in this message may be personal to the author and may not necessarily reflect the opinions of secnetix in any way. Passwords are like underwear. You don't share them, you don't hang them on your monitor or under your keyboard, you don't email them, or put them on a web site, and you must change them very often.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200507181121.j6IBL277008546>