Date: Mon, 10 Jan 2005 15:00:55 -0500 From: Louis LeBlanc <FreeBSD@keyslapper.org> To: freebsd-questions@freebsd.org Subject: Re: Blacklisting IPs Message-ID: <20050110200055.GF7456@keyslapper.org> In-Reply-To: <7b3c7f0b0501101142223c3e36@mail.gmail.com> References: <fd091951050109222052228399@mail.gmail.com> <20050110172303.GA7456@keyslapper.org> <7b3c7f0b0501101142223c3e36@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 01/10/05 07:42 PM, Jez Hancock sat at the `puter and typed: > On Mon, 10 Jan 2005 12:23:04 -0500, Louis LeBlanc > <FreeBSD@keyslapper.org> wrote: > > On 01/10/05 12:20 AM, artware sat at the `puter and typed: > > > Hello again, > > > > > > My 5.3R system has only been up a little over a week, and I've already > > > had a few breakin attempts -- they show up as Illegal user tests in > > > the /var/log/auth.log... It looks like they're trying common login > > > names (probably with the login name used as passwd). It takes them > > > hours to try a dozen names, but I'd rather not have any traffic from > > > these folks. Is there any way to blacklist IPs at the system level, or > > > do I have to hack something together for each daemon? > > > > > > The best defense is a good firewall, good passwords, and restriction of > > user ids that may login remotely. > > I started blocking the addresses that attacked but the frequency of > the attacks made it impractical to add every attacking address to the > firewall ruleset. I came to the conclusion that as long as the items > you mention above are in place - especially good passwords - and the > attacks aren't saturating the connection, then there's little to worry > about - perhaps on a par with portscanning. You're right there, but I figure I'm going to get hundreds or thousands of IPs if I block the CIDR spec. It's a little heavy handed, but those networks will often beget dozens of attacks over a space of a couple weeks sometimes, and often no two come from the same IP. Whether it's the same system is anyones guess, but unless they get a new provider, they have no access to my system. > Another fairly simple option though is to just change the port that > sshd listens on since the attacks presume that sshd is listening on > port 22. Not always practical though if you have lots of users. I've seen this recommended here many times. I haven't done it because I work on too many systems that I don't have that kind of control over, and I don't need to confuse myself with nonstandard configs. I already have 2 or 3 dozen passwords to remember :| Lou -- Louis LeBlanc FreeBSD@keyslapper.org Fully Funded Hobbyist, KeySlapper Extrordinaire :) http://www.keyslapper.org ԿԬ I have yet to see any problem, however complicated, which, when you looked at it in the right way, did not become still more complicated. -- Poul Anderson
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050110200055.GF7456>