From owner-freebsd-ipfw@FreeBSD.ORG Mon Jul 18 11:21:04 2005 Return-Path: X-Original-To: freebsd-ipfw@FreeBSD.ORG Delivered-To: freebsd-ipfw@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CE14616A41C for ; Mon, 18 Jul 2005 11:21:04 +0000 (GMT) (envelope-from olli@lurza.secnetix.de) Received: from lurza.secnetix.de (lurza.secnetix.de [83.120.8.8]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2D56643D46 for ; Mon, 18 Jul 2005 11:21:03 +0000 (GMT) (envelope-from olli@lurza.secnetix.de) Received: from lurza.secnetix.de (efezkl@localhost [127.0.0.1]) by lurza.secnetix.de (8.13.1/8.13.1) with ESMTP id j6IBL2KE008547 for ; Mon, 18 Jul 2005 13:21:03 +0200 (CEST) (envelope-from oliver.fromme@secnetix.de) Received: (from olli@localhost) by lurza.secnetix.de (8.13.1/8.13.1/Submit) id j6IBL277008546; Mon, 18 Jul 2005 13:21:02 +0200 (CEST) (envelope-from olli) Date: Mon, 18 Jul 2005 13:21:02 +0200 (CEST) Message-Id: <200507181121.j6IBL277008546@lurza.secnetix.de> From: Oliver Fromme To: freebsd-ipfw@FreeBSD.ORG In-Reply-To: <20050717190755.Q13035@zoraida.natserv.net> X-Newsgroups: list.freebsd-ipfw User-Agent: tin/1.5.4-20000523 ("1959") (UNIX) (FreeBSD/4.11-RELEASE (i386)) Cc: Subject: Re: Trying to understand dynamic rules X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: freebsd-ipfw@FreeBSD.ORG List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Jul 2005 11:21:04 -0000 Francisco Reyes wrote: > Basically I keep track of attempts to connect to the SSH port. Any IP that > tries to connect using a non existing user numerous times I run a script > and blackhole the IP. That's probably OK, because the source IP cannot easily be spoofed in that case. But ... > What I would like was if IPFW would see numerous attempts to connect to > SSH from the same IP and automatically create a rule to not allow that IP > to connect at all to my machine. Is this possible? It's possible, but it's probably _not_ a good idea, because an attacker can easily perform a denial-of-service attack against your machine. For example, he can make several connection attempts to your machine, using -- say -- the IP addresses of your DNS servers as source IPs (or any other address that might be important to you). Then you would blackhole your own DNS servers. I recommend that you just ignore such attempts. If your filter rules are OK and your ssh configuration is OK (and your passwords are OK, _if_ you allow password authenti- cation), then there's no reason to worry. If any of those are not OK, then fix them first, because blackholing IPs won't save you anyway. Best regards Oliver -- Oliver Fromme, secnetix GmbH & Co KG, Marktplatz 29, 85567 Grafing Any opinions expressed in this message may be personal to the author and may not necessarily reflect the opinions of secnetix in any way. Passwords are like underwear. You don't share them, you don't hang them on your monitor or under your keyboard, you don't email them, or put them on a web site, and you must change them very often.