From owner-freebsd-questions@FreeBSD.ORG  Tue Sep 28 16:48:04 2004
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 02F4D16A4DB
	for <freebsd-questions@freebsd.org>;
	Tue, 28 Sep 2004 16:48:04 +0000 (GMT)
Received: from internet.potentialtech.com (h-66-167-251-6.phlapafg.covad.net
	[66.167.251.6])	by mx1.FreeBSD.org (Postfix) with ESMTP id 84C3743D48
	for <freebsd-questions@freebsd.org>;
	Tue, 28 Sep 2004 16:48:01 +0000 (GMT)
	(envelope-from wmoran@potentialtech.com)
Received: from working.potentialtech.com
	(pa-plum-cmts1e-68-68-113-64.pittpa.adelphia.net [68.68.113.64])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by internet.potentialtech.com (Postfix) with ESMTP id BC7F069A39;
	Tue, 28 Sep 2004 12:48:00 -0400 (EDT)
Date: Tue, 28 Sep 2004 12:47:59 -0400
From: Bill Moran <wmoran@potentialtech.com>
To: "dave" <dmehler26@woh.rr.com>
Message-Id: <20040928124759.64539196.wmoran@potentialtech.com>
In-Reply-To: <001f01c4a57a$440d4510$0200a8c0@satellite>
References: <001f01c4a57a$440d4510$0200a8c0@satellite>
Organization: Potential Technologies
X-Mailer: Sylpheed version 0.9.12 (GTK+ 1.2.10; i386-portbld-freebsd4.9)
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
cc: freebsd-questions@freebsd.org
Subject: Re: connections from dialup IP's
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Sep 2004 16:48:04 -0000

"dave" <dmehler26@woh.rr.com> wrote:

> Hello,
>     Last evening i had a pretty determined dialup user try to ssh in to my
> system as root, the logs showed he tried for over 15 minutes. What i'd like
> to know is is there a way of dropping a connection from an IP if it connects
> more than x times in a minute? Or any other suggestions of dealing with
> this? I did a host lookup on the IP, 211.206.125.39
> which came back not found which kind of tells me he got offline. Suggestions
> welcome.
>     Also i'm not familiar with the .kr domain i'd like to block connections
> from that one as well, same reason this one 4 minutes 165.132.58.56

A whois lookup will tell you what IPs belong to a particular domain.
You can then use the technique of your choice to block them, whether
it be packet filter or host.allow-like functionality.

I usually just add an ipfw rule, myself, but you've got lots of
choices.

-- 
Bill Moran
Potential Technologies
http://www.potentialtech.com