From owner-freebsd-questions@FreeBSD.ORG Tue May 24 01:05:39 2005 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C063916A41C for ; Tue, 24 May 2005 01:05:39 +0000 (GMT) (envelope-from fbsd_user@a1poweruser.com) Received: from mta10.adelphia.net (mta10.adelphia.net [68.168.78.202]) by mx1.FreeBSD.org (Postfix) with ESMTP id 447D743D1F for ; Tue, 24 May 2005 01:05:39 +0000 (GMT) (envelope-from fbsd_user@a1poweruser.com) Received: from barbish ([69.172.31.81]) by mta10.adelphia.net (InterMail vM.6.01.04.01 201-2131-118-101-20041129) with SMTP id <20050524010538.ECVR17140.mta10.adelphia.net@barbish>; Mon, 23 May 2005 21:05:38 -0400 From: "fbsd_user" To: "Francisco Reyes" , "Chris" Date: Mon, 23 May 2005 21:05:27 -0400 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.6604 (9.0.2911.0) In-Reply-To: <20050522202535.K29197@zoraida.natserv.net> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1409 Importance: Normal Cc: John DeStefano , Jerry Bell , freebsd-questions@freebsd.org Subject: RE: securing SSH, FBSD systems X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: fbsd_user@a1poweruser.com List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 24 May 2005 01:05:39 -0000 >2- Every time I see script kiddies I black hole their IPs. >I black hole them not only because of ssh, but because, just as they tried >to attack ssh the same IPs may try other attacks. I try and stay up to >date in patches, but it can not hurt to block known >compromised/hacker machines. The IPs can be listed either in the firewall >or using >route add -host 127.0.0.1 -blackhole >I was told that this method of blackholing was more efficient when using a >long list of IPs becaues IPFW looks at a linear list while the route list >was some sort of tree which is more efficient to search. >Over time.. my list of blackholed IPs is 300+ and growing. Every week I >add anywhere from 2 to 10 new IPs. :-( >Besides ssh I also look for machines trying to attack the web server.. ie >a machine looking for files in c:\winnt or any other window directory is a >sure sign of a compromised wmachine ith a virus/worm trying to infect more >machines. _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" *********************************** ******************************* These manual routes are stored in memory. Can you tell how much memory is used by your 300+ list? Is there some command to display these user added route list? Is the a single IP address or can you say 62.0.0.0/8? Can I stack these commands in a script to run every time the system boots?