Date: Mon, 10 Jan 2005 14:16:52 -0500 From: Louis LeBlanc <FreeBSD@keyslapper.org> To: dave <dmehler26@woh.rr.com> Cc: FreeBSD Questions <freebsd-questions@FreeBSD.org> Subject: Re: firewall setup and whois for blacklisting IP's Message-ID: <20050110191652.GE7456@keyslapper.org> In-Reply-To: <001701c4f743$153e9930$0400a8c0@satellite> References: <001701c4f743$153e9930$0400a8c0@satellite>
next in thread | previous in thread | raw e-mail | index | archive | help
On 01/10/05 01:34 PM, dave sat at the `puter and typed:
> Hello,
> For your setup of blacklisting IP's do you use any cron scripts for
> procedure automation?
> I'm assuming for your firewall block table that you store that in a
> separate file? Can you send that file my way? I've tried to come up with a
> perl script to get whois information out of a maillog, i'm gettin ssh
> atempts that corespond to mail relaying atempts so i thought that would be
> best, however there seems to be difference in the way certain servers
> return whois information, do you have any experience with this?
> When you email an abuse contact approximately what percentage of them
> write you back? I've emailed several providers comcast mostly in the US, but
> i have not heard anything back from the person. Is there some sort of
> standard email template you follow?
> Thanks.
> Dave.
Good questions. I don't use any automation, I just look at the auth
logs on a regular basis. The reason is that I don't want to block every
network that attempts my system. I haven't found any of the security
settings to include illegal user attempts in the security mailing -
though I'd think that would be there, and on by default. If it were
there, I'd use that as a more reliable alert.
Also, I don't typically do anything at all with Amsterdam IPs, mostly
because I haven't decided whether there's anything legitimate to be
expected. I know there's a lot of porn sites, and this could easily be
a starting point for a lot of these attempts, but it's a fairly open
society, and I don't know whether the ISPs would really care about them.
They may well care in those that I do block, but my experience has shown
that they typically won't make much effort. Giving the benefit of the
doubt, it's probably more of a language barrier than a lack of interest.
When I used ipfw, I did keep the blocked lists in a separate file,
/etc/rc.firewall.blocked contained a rule for each CIDR block I
rejected. Now I keep it in a table definition in /etc/pf.conf. So far,
in the last month, this is the full table definition for my pf firewall:
table <BLOCKED> { \
60.0.0.0/8, \
61.0.0.0/8, \
195.0.0.0/8, \
202.0.0.0/7, \
221.0.0.0/8, \
222.0.0.0/8 \
}
And at the appropriate place, I have a rule to block anything from those
blocks:
# Block Network Badlands (table <BLOCKED>)
block in quick on $ext_if inet from <BLOCKED> to any
I haven't figured out how to automagically include a separate file with
this table defined yet, but I haven't really tried either. Another
option I haven't tried is to simply pull the CIDR specs out of something
like blackholes.us, which I use to block mail from Asia, but I haven't
taken the time to do that.
It probably wouldn't be rocket science to automagically scan for the
table definition and add a CIDR spec at the top of the table if it
wasn't already there, but like I said, I haven't really been trying.
BTW, I'm copying this back to the list in case someone there *is* using
some kind of automation to alert them to illegal user attempts, or if
there is a switch I missed to include them in the security mailings.
That will give them an opportunity to give you some help.
That's usually a better option than getting me at the FreeBSD-at-
address, since it goes to a mailbox specifically for the list, and
unless the subject sets off any bells (like yours did in this case) I
won't always read it. Besides, I'm more of a novice with network
security/firewall setup, so you want some of the more knowledgeable
folks there to have an opportunity to correct me :) For *true offlist*
email, I can be reached more reliably at leblanc-at-
Good luck. I'll continue to follow this thread in case someone posts
something I can elaborate on to some useful end.
Lou
--
Louis LeBlanc FreeBSD@keyslapper.org
Fully Funded Hobbyist, KeySlapper Extrordinaire :)
http://www.keyslapper.org Ô¿Ô¬
McGowan's Madison Avenue Axiom:
If an item is advertised as "under $50", you can bet it's not $19.95.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050110191652.GE7456>