From owner-freebsd-questions@FreeBSD.ORG Sun Mar 21 01:33:45 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id BA28F1065675 for ; Sun, 21 Mar 2010 01:33:45 +0000 (UTC) (envelope-from norgaard@locolomo.org) Received: from mail.locolomo.org (97.pool85-48-194.static.orange.es [85.48.194.97]) by mx1.freebsd.org (Postfix) with ESMTP id 6C9898FC15 for ; Sun, 21 Mar 2010 01:33:45 +0000 (UTC) Received: from beta.local (ppp-88-217-26-61.dynamic.mnet-online.de [88.217.26.61]) by mail.locolomo.org (Postfix) with ESMTPSA id 159971C0871 for ; Sun, 21 Mar 2010 02:33:43 +0100 (CET) Message-ID: <4BA57776.8020404@locolomo.org> Date: Sun, 21 Mar 2010 02:33:42 +0100 From: Erik Norgaard User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1.8) Gecko/20100227 Lightning/1.0b1 Thunderbird/3.0.3 MIME-Version: 1.0 To: freebsd-questions@freebsd.org References: <1269123444.32263.53.camel@ubuntu> In-Reply-To: <1269123444.32263.53.camel@ubuntu> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit Subject: Re: bruteforce protection howto X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 21 Mar 2010 01:33:45 -0000 On 20/03/10 23:17, Vadkan Jozsef wrote: > What's the best method to ban that ip [what is bruteforcig a server] > what was logged on the logger? > I need to ban the ip on the router pc. Take your time to think about if this is indeed the right solution. 1st: You need to decide which is the right policy to deploy. Basically you can opt for a default deny or a default allow. With default deny you create white lists for the exceptions that should be allows. With default allow you create black lists. Default deny and default allow roughly corresponds to the policies of OpenBSD vs. Microsoft Windows. So, when is white listing an option? When you have a limited set of exceptions, for example your local users that need ssh access. If this set is limited consider deploying default deny. On the other hand, this is not an option for your web service that you wish to provide for anyone anywhere. Blacklisting is futile (think, did anti-virus solve the virus problem?). Intruders may attempt to connect from anywhere, blocking a single IP won't solve your problem, most likely the next attempt will not come from that IP. This is because these attacks may be launched from a number of compromised pc's and because the attacking pc may have dynamically assigned address. So you need to block entire ranges, but which? I recently analysed my maillog to see where attempted spammers connected from. I found some 3500 hosts in 1600 ranges (using whois lookup). These ranges being typically /16. I haven't tried with ssh but I doubt it would be much different. If on top of this you make some auto-respond system, you expose yourself to a denial of service attack, blindly blocking anything that creates a log entry. Whether you use white or black listing this is effective only if you can make informed decisions. If you don't do business with say China and you know that 25% of all spam originates from China, it is only rational to block access from China. But, whenever possible, use white listing. BR, Erik -- Erik Nørgaard Ph: +34.666334818/+34.915211157 http://www.locolomo.org