From owner-freebsd-questions@FreeBSD.ORG Mon Jan 10 19:16:45 2005 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AFCF116A4E9 for ; Mon, 10 Jan 2005 19:16:45 +0000 (GMT) Received: from mail-relay4.mirrorimage.net (mail-relay4.mirrorimage.net [209.58.140.15]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2038043D4C for ; Mon, 10 Jan 2005 19:16:45 +0000 (GMT) (envelope-from FreeBSD@keyslapper.org) Received: from localhost (unknown [10.10.4.59]) by mail-relay4.mirrorimage.net (Postfix) with SMTP id 9B00D69288; Mon, 10 Jan 2005 14:16:44 -0500 (EST) Received: by localhost (sSMTP sendmail emulation); Mon, 10 Jan 2005 14:16:53 -0500 Date: Mon, 10 Jan 2005 14:16:52 -0500 From: Louis LeBlanc To: dave Message-ID: <20050110191652.GE7456@keyslapper.org> Mail-Followup-To: dave , FreeBSD Questions References: <001701c4f743$153e9930$0400a8c0@satellite> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <001701c4f743$153e9930$0400a8c0@satellite> User-Agent: Mutt/1.5.6i cc: FreeBSD Questions Subject: Re: firewall setup and whois for blacklisting IP's X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: freebsd-questions@FreeBSD.org List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 10 Jan 2005 19:16:46 -0000 On 01/10/05 01:34 PM, dave sat at the `puter and typed: > Hello, > For your setup of blacklisting IP's do you use any cron scripts for > procedure automation? > I'm assuming for your firewall block table that you store that in a > separate file? Can you send that file my way? I've tried to come up with a > perl script to get whois information out of a maillog, i'm gettin ssh > atempts that corespond to mail relaying atempts so i thought that would be > best, however there seems to be difference in the way certain servers > return whois information, do you have any experience with this? > When you email an abuse contact approximately what percentage of them > write you back? I've emailed several providers comcast mostly in the US, but > i have not heard anything back from the person. Is there some sort of > standard email template you follow? > Thanks. > Dave. Good questions. I don't use any automation, I just look at the auth logs on a regular basis. The reason is that I don't want to block every network that attempts my system. I haven't found any of the security settings to include illegal user attempts in the security mailing - though I'd think that would be there, and on by default. If it were there, I'd use that as a more reliable alert. Also, I don't typically do anything at all with Amsterdam IPs, mostly because I haven't decided whether there's anything legitimate to be expected. I know there's a lot of porn sites, and this could easily be a starting point for a lot of these attempts, but it's a fairly open society, and I don't know whether the ISPs would really care about them. They may well care in those that I do block, but my experience has shown that they typically won't make much effort. Giving the benefit of the doubt, it's probably more of a language barrier than a lack of interest. When I used ipfw, I did keep the blocked lists in a separate file, /etc/rc.firewall.blocked contained a rule for each CIDR block I rejected. Now I keep it in a table definition in /etc/pf.conf. So far, in the last month, this is the full table definition for my pf firewall: table { \ 60.0.0.0/8, \ 61.0.0.0/8, \ 195.0.0.0/8, \ 202.0.0.0/7, \ 221.0.0.0/8, \ 222.0.0.0/8 \ } And at the appropriate place, I have a rule to block anything from those blocks: # Block Network Badlands (table ) block in quick on $ext_if inet from to any I haven't figured out how to automagically include a separate file with this table defined yet, but I haven't really tried either. Another option I haven't tried is to simply pull the CIDR specs out of something like blackholes.us, which I use to block mail from Asia, but I haven't taken the time to do that. It probably wouldn't be rocket science to automagically scan for the table definition and add a CIDR spec at the top of the table if it wasn't already there, but like I said, I haven't really been trying. BTW, I'm copying this back to the list in case someone there *is* using some kind of automation to alert them to illegal user attempts, or if there is a switch I missed to include them in the security mailings. That will give them an opportunity to give you some help. That's usually a better option than getting me at the FreeBSD-at- address, since it goes to a mailbox specifically for the list, and unless the subject sets off any bells (like yours did in this case) I won't always read it. Besides, I'm more of a novice with network security/firewall setup, so you want some of the more knowledgeable folks there to have an opportunity to correct me :) For *true offlist* email, I can be reached more reliably at leblanc-at- Good luck. I'll continue to follow this thread in case someone posts something I can elaborate on to some useful end. Lou -- Louis LeBlanc FreeBSD@keyslapper.org Fully Funded Hobbyist, KeySlapper Extrordinaire :) http://www.keyslapper.org ԿԬ McGowan's Madison Avenue Axiom: If an item is advertised as "under $50", you can bet it's not $19.95.