Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 23 May 2005 21:05:27 -0400
From:      "fbsd_user" <fbsd_user@a1poweruser.com>
To:        "Francisco Reyes" <lists@natserv.com>, "Chris" <racerx@makeworld.com>
Cc:        John DeStefano <john.destefano@gmail.com>, Jerry Bell <jbell@stelesys.com>, freebsd-questions@freebsd.org
Subject:   RE: securing SSH, FBSD systems
Message-ID:  <MIEPLLIBMLEEABPDBIEGEEIFHFAA.fbsd_user@a1poweruser.com>
In-Reply-To: <20050522202535.K29197@zoraida.natserv.net>
next in thread | previous in thread | raw e-mail | index | archive | help 
>2- Every time I see script kiddies I black hole their IPs.

>I black hole them not only because of ssh, but because, just as
they tried
>to attack ssh the same IPs may try other attacks. I try and stay up
to
>date in patches, but it can not hurt to block known
>compromised/hacker machines. The IPs can be listed either in the
firewall
>or using
>route add -host <hacker ip> 127.0.0.1 -blackhole

>I was told that this method of blackholing was more efficient when
using a
>long list of IPs becaues IPFW looks at a linear list while the
route list
>was some sort of tree which is more efficient to search.

>Over time.. my list of blackholed IPs is 300+ and growing. Every
week I
>add anywhere from 2 to 10 new IPs. :-(

>Besides ssh I also look for machines trying to attack the web
server.. ie
>a machine looking for files in c:\winnt or any other window
directory is a
>sure sign of a compromised wmachine ith a virus/worm trying to
infect more
>machines.
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to
"freebsd-questions-unsubscribe@freebsd.org"

***********************************  *******************************

These manual routes are stored in memory.
Can you tell how much memory is used by your 300+ list?

Is there some command to display these user added route list?

Is the <hacker ip> a single IP address or can you say 62.0.0.0/8?

Can I stack these commands in a script to run every time the system
boots?

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?MIEPLLIBMLEEABPDBIEGEEIFHFAA.fbsd_user>