Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 10 Jan 2005 19:42:16 +0000
From:      Jez Hancock <jez.hancock@gmail.com>
To:        freebsd-questions@freebsd.org
Subject:   Re: Blacklisting IPs
Message-ID:  <7b3c7f0b0501101142223c3e36@mail.gmail.com>
In-Reply-To: <20050110172303.GA7456@keyslapper.org>
References:  <fd091951050109222052228399@mail.gmail.com> <20050110172303.GA7456@keyslapper.org>

next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 10 Jan 2005 12:23:04 -0500, Louis LeBlanc
<FreeBSD@keyslapper.org> wrote:
> On 01/10/05 12:20 AM, artware sat at the `puter and typed:
> > Hello again,
> >
> > My 5.3R system has only been up a little over a week, and I've already
> > had a few breakin attempts -- they show up as Illegal user tests in
> > the /var/log/auth.log... It looks like they're trying common login
> > names (probably with the login name used as passwd). It takes them
> > hours to try a dozen names, but I'd rather not have any traffic from
> > these folks. Is there any way to blacklist IPs at the system level, or
> > do I have to hack something together for each daemon?
> 
> 
> The best defense is a good firewall, good passwords, and restriction of
> user ids that may login remotely.

I started blocking the addresses that attacked but the frequency of
the attacks made it impractical to add every attacking address to the
firewall ruleset.  I came to the conclusion that as long as the items
you mention above are in place - especially good passwords - and the
attacks aren't saturating the connection, then there's little to worry
about - perhaps on a par with portscanning.

Another fairly simple option though is to just change the port that
sshd listens on since the attacks presume that sshd is listening on
port 22.  Not always practical though if you have lots of users.

-- 
Jez Hancock
 - System Administrator / PHP Developer

http://munk.nu/
http://freebsd.munk.nu/      - A FreeBSD Diary
http://ipfwstats.sf.net/        - ipfw peruser traffic logging



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?7b3c7f0b0501101142223c3e36>