From owner-freebsd-questions@FreeBSD.ORG Mon Oct 11 12:34:27 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1AB5A16A4CE for ; Mon, 11 Oct 2004 12:34:27 +0000 (GMT) Received: from bsdhacker.org (server.bsdhacker.org [166.102.211.13]) by mx1.FreeBSD.org (Postfix) with ESMTP id C3BE243D46 for ; Mon, 11 Oct 2004 12:34:26 +0000 (GMT) (envelope-from uidzero@one-arm.com) Received: from localhost (localhost [127.0.0.1]) by bsdhacker.org (Postfix) with ESMTP id 44F3B895; Mon, 11 Oct 2004 07:34:11 -0500 (CDT) Received: from bsdhacker.org ([127.0.0.1]) by localhost (server.bsdhacker.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 55448-10; Mon, 11 Oct 2004 07:34:06 -0500 (CDT) Received: from [192.168.1.2] (bsd.bsdhacker.org [192.168.1.2]) by bsdhacker.org (Postfix) with ESMTP id DB9F8835; Mon, 11 Oct 2004 07:34:05 -0500 (CDT) Message-ID: <416A7D64.4090702@one-arm.com> Date: Mon, 11 Oct 2004 07:32:36 -0500 From: uidzero User-Agent: Mozilla Thunderbird 0.7.3 (X11/20040928) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Rob References: <416A5CF6.20508@one-arm.com> <416A6062.9080106@yahoo.com> <416A60A3.8060906@one-arm.com> <416A6CA0.1020306@yahoo.com> In-Reply-To: <416A6CA0.1020306@yahoo.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: by amavisd-new at bsdhacker.org cc: freebsd-questions@freebsd.org Subject: Re: Adding network & IP to hosts.deny X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 11 Oct 2004 12:34:27 -0000 Rob wrote: > uidzero wrote: > >> Rob wrote: >> >>> uidzero wrote: >>> >>>> Pelle Andersson wrote: >>>> >>>>> Hi! >>>>> >>>>> I have a lot of login attempts from various networks and IP addresses >>>>> on my FBSD 4.10 server. I have read the man pages for hosts.deny but >>>>> do not understand how to add networks and IP addresses to it. >>>>> >>>> >>>> I use "/etc/rc.ipfw"... >>>> >>>> >>>> ${fwcmd} add 300 deny IP from 24.19.0.105 to any >>>> ${fwcmd} add 301 deny IP from 24.79.68.179 to any >>>> ${fwcmd} add 400 deny IP from 61.100.180.125 to any >>>> ${fwcmd} add 401 deny IP from 61.206.125.28 to any >>> > [...snip...] > >>>> ${fwcmd} add 971 deny IP from 220.73.215.151 to any >>>> ${fwcmd} add 980 deny IP from 221.3.131.80 to any >>>> ${fwcmd} add 981 deny IP from 221.12.11.118 to any >>>> ${fwcmd} add 982 deny IP from 222.56.118.124 to any >>> >>> >>> >>> >>> I have attacks by similar IP numbers. However, I discovered >>> that these IP numbers are used only once to attack my PC. >>> Next attack will be from a different IP number. So adding the >>> IP numbers to your list each time after an attack, will make >>> your deny-list longer and longer, but won't make it more effective, >>> since it doesn't protect you against the attackers next attempts. >>> >>> Unless, of course, someone is attacking again and again from the >>> same IP number; but that is not what I observe. >>> >>> Rob. >>> >>> >> >> Actually, quite a few has attempted several times from the same IPs. >> I figure if it gets to big, I'll just block the whole class. What do >> I care if a whole country can't access my lil webserver? :) > > > Have you bothered to monitor your rules with ipfw -dt show, or by adding > a 'log' to your rules? That would give you a clue as to how effective > your deny rules are. > > Rob. > > I've added a few friends static IPs and they weren't able to get any of the services my system runs. So,noy only is ssh blocked, everything is blocked. Michael -- Michael D. Whities uidzero@one-arm.com http://www.one-arm.com -- There are four colors of hats to watch for: Black, White, Grey, and Red. The meanings are: Cracker, Hacker, Guru, and Victim.