From owner-freebsd-questions@FreeBSD.ORG  Mon Jan 10 16:41:06 2005
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 30A0A16A4CE
	for <freebsd-questions@freebsd.org>;
	Mon, 10 Jan 2005 16:41:06 +0000 (GMT)
Received: from ns1.tiadon.com (SMTP.tiadon.com [69.27.132.161])
	by mx1.FreeBSD.org (Postfix) with ESMTP id AA2DE43D2F
	for <freebsd-questions@freebsd.org>;
	Mon, 10 Jan 2005 16:41:05 +0000 (GMT)	(envelope-from kdk@daleco.biz)
Received: from [69.27.131.0] ([69.27.131.0]) by ns1.tiadon.com with Microsoft
	SMTPSVC(6.0.3790.211);	 Mon, 10 Jan 2005 10:40:35 -0600
Message-ID: <41E2B01F.40702@daleco.biz>
Date: Mon, 10 Jan 2005 10:41:03 -0600
From: Kevin Kinsey <kdk@daleco.biz>
User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.7.3) Gecko/20041210
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: artware <artware@gmail.com>
References: <20050110035717.27062.qmail@web41008.mail.yahoo.com>
	<fd091951050109222052228399@mail.gmail.com>
In-Reply-To: <fd091951050109222052228399@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-OriginalArrivalTime: 10 Jan 2005 16:40:36.0218 (UTC)
	FILETIME=[1C3A1DA0:01C4F733]
cc: freebsd-questions@freebsd.org
Subject: Re: Blacklisting IPs
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 10 Jan 2005 16:41:06 -0000

artware wrote:

>Hello again,
>
>My 5.3R system has only been up a little over a week, and I've already
>had a few breakin attempts -- they show up as Illegal user tests in
>the /var/log/auth.log... It looks like they're trying common login
>names (probably with the login name used as passwd). It takes them
>hours to try a dozen names, but I'd rather not have any traffic from
>these folks. Is there any way to blacklist IPs at the system level, or
>do I have to hack something together for each daemon?
>
>- ben
>  
>

/etc/hosts.allow?

There were a lot of varying ideas in a thread titled "blacklisting failed
ssh attempts on this list about Dec. 1st --- perhaps you can gain some
wisdom there.

I don't know that it's much to worry about, just a bot looking
for lame passwords on Linux boxen.  There are a number of
possible responses, and the likelihood of a successful "attack"
via this mechanism seems slim....

Kevin Kinsey