From owner-freebsd-questions@FreeBSD.ORG Mon Oct 18 14:26:39 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 37BD816A4CE for ; Mon, 18 Oct 2004 14:26:39 +0000 (GMT) Received: from mail-relay4.mirrorimage.net (mail-relay4.mirrorimage.net [209.58.140.15]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0643943D41 for ; Mon, 18 Oct 2004 14:26:39 +0000 (GMT) (envelope-from FreeBSD@keyslapper.org) Received: from localhost (unknown [10.10.4.59]) by mail-relay4.mirrorimage.net (Postfix) with SMTP id 576286925E for ; Mon, 18 Oct 2004 10:26:38 -0400 (EDT) Received: by localhost (sSMTP sendmail emulation); Mon, 18 Oct 2004 10:29:02 -0400 Date: Mon, 18 Oct 2004 10:29:02 -0400 From: Louis LeBlanc To: FBSD-Q Message-ID: <20041018142902.GA4599@keyslapper.org> Mail-Followup-To: FBSD-Q References: <20041018055122.GB35360@ns2.wananchi.com> <200410181447.15620.h@erathia.be> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <200410181447.15620.h@erathia.be> User-Agent: Mutt/1.5.6i Subject: Re: Are these attempts by password crackers?? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: freebsd-questions@FreeBSD.org List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Oct 2004 14:26:39 -0000 On 10/18/04 02:47 PM, h sat at the `puter and typed: > trace the ip and file complain to their isp ? $ whois 210.80.96.185 OrgName: Asia Pacific Network Information Centre OrgID: APNIC Address: PO Box 2131 City: Milton StateProv: QLD PostalCode: 4064 Country: AU ReferralServer: whois://whois.apnic.net NetRange: 210.0.0.0 - 211.255.255.255 CIDR: 210.0.0.0/7 NetName: APNIC-CIDR-BLK2 NetHandle: NET-210-0-0-0-1 . . . Don't even bother when it's an Asian network. I just add the CIDR to my firewall and lop off a chunk of Asia each time this happens. I think I've got most of it killed at this point. Of course, this is a bit excessive, and many people won't be able to function this way. I, OTOH, have no direct dealings with Asia at this point, and don't have a problem shutting the door to these networks for the time being. For most countries, I generally try to make a complaint. If I think I might even remotely wish to surf there, I avoid the blockade. As with any excessive method, I tend to cycle them out at some point. If the problem returns, I cycle it back in. At some point, I may have to take out these blockades and deal with the attempts more directly, but not now. Maybe someday it will be easier to have action taken in these cases. One more thing that might be worth trying, block out all users that should not be able to log in from outside. I have several that may log in from my internal network, but not from outside. This is done in login.access as follows: -:user1 user2 user3:ALL EXCEPT LOCAL .mydomain.org This removes access (-) for the given users (user1, user2, user3) from all locations except the local machine and any machine recognized as a mydomain.org system (like rainbow.mydomain.org). That basically ensures these hackers won't have a larger access pool to try to find. The fewer users that can actually log in from external networks, the harder it will be for them to find one they can try to brute force. Of course, the neat thing about this is FreeBSD will never tell them whether they have a real id or not anyway . . . Lou -- Louis LeBlanc FreeBSD@keyslapper.org Fully Funded Hobbyist, KeySlapper Extrordinaire :) http://www.keyslapper.org ԿԬ Mark's Dental-Chair Discovery: Dentists are incapable of asking questions that require a simple yes or no answer.