Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 4 Oct 2005 08:15:48 +0700 (ICT)
From:      Olivier Nicole <on@cs.ait.ac.th>
To:        nb_root@videotron.ca
Cc:        freebsd-ipfw@freebsd.org
Subject:   Re: Automatically add attacks to deny list?
Message-ID:  <200510040115.j941FmTm040763@banyan.cs.ait.ac.th>
In-Reply-To: <200510031816.26658.nb_root@videotron.ca> (message from Nicolas Blais on Mon, 03 Oct 2005 18:16:16 -0400)
References:  <200510031816.26658.nb_root@videotron.ca>

next in thread | previous in thread | raw e-mail | index | archive | help
> Whenever someone tries a portscan or http server vulnerability scan on my=20
> system, I have to manually add their ip in my /etc/ipfw.conf file such as:
> add 100 deny all from xx.xxx.xxx.xxx to any
> 
> Is there a way, without enabling blackhole, to dynamically add ips to my=20
> blacklist after a certain packet/sec limit or some other way?

I'd say that the problem is not to find how to do that, but to decide
whether it is a good thing to automatically deny an IP.

There must be some plugin to snort that do what you want, but the risk
is either your filtering is too soft and you miss blocking some IP or
too harsh and you block some legitimate traffic.

Olivier



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200510040115.j941FmTm040763>