Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 11 Oct 2004 20:21:04 +0900
From:      Rob <spamrefuse@yahoo.com>
To:        uidzero <uidzero@one-arm.com>, freebsd-questions@freebsd.org
Subject:   Re: Adding network & IP to hosts.deny
Message-ID:  <416A6CA0.1020306@yahoo.com>
In-Reply-To: <416A60A3.8060906@one-arm.com>
References:  <!~!UENERkVCMDkAAQACAAAAAAAAAAAAAAAAABgAAAAAAAAArvdSa/sjb0OI1eLKLXuK1sKAAAAQAAAAnNdJfVuVREajW0jiKTPoYAEAAAAA@spd.nu> <416A5CF6.20508@one-arm.com> <416A6062.9080106@yahoo.com> <416A60A3.8060906@one-arm.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
uidzero wrote:
> Rob wrote:
> 
>> uidzero wrote:
>>
>>> Pelle Andersson wrote:
>>>
>>>> Hi!
>>>>
>>>> I have a lot of login attempts from various networks and IP addresses
>>>> on my FBSD 4.10 server. I have read the man pages for hosts.deny but
>>>> do not understand how to add networks and IP addresses to it.
>>>>
>>>
>>> I use "/etc/rc.ipfw"...
>>>
>>>
>>> ${fwcmd} add 300 deny IP from 24.19.0.105 to any
>>> ${fwcmd} add 301 deny IP from 24.79.68.179 to any
>>> ${fwcmd} add 400 deny IP from 61.100.180.125 to any
>>> ${fwcmd} add 401 deny IP from 61.206.125.28 to any
   [...snip...]
>>> ${fwcmd} add 971 deny IP from 220.73.215.151 to any
>>> ${fwcmd} add 980 deny IP from 221.3.131.80 to any
>>> ${fwcmd} add 981 deny IP from 221.12.11.118 to any
>>> ${fwcmd} add 982 deny IP from 222.56.118.124 to any
>>
>>
>>
>> I have attacks by similar IP numbers. However, I discovered
>> that these IP numbers are used only once to attack my PC.
>> Next attack will be from a different IP number. So adding the
>> IP numbers to your list each time after an attack, will make
>> your deny-list longer and longer, but won't make it more effective,
>> since it doesn't protect you against the attackers next attempts.
>>
>> Unless, of course, someone is attacking again and again from the
>> same IP number; but that is not what I observe.
>>
>> Rob.
>>
>>
> 
> Actually, quite a few has attempted several times from the same IPs. I 
> figure if it gets to big, I'll just block the whole class. What do I 
> care if a whole country can't access my lil webserver? :)

Have you bothered to monitor your rules with ipfw -dt show, or by adding
a 'log' to your rules? That would give you a clue as to how effective
your deny rules are.

Rob.

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?416A6CA0.1020306>