From owner-freebsd-questions@FreeBSD.ORG Mon Jan 10 20:00:48 2005 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1334E16A4CF for ; Mon, 10 Jan 2005 20:00:48 +0000 (GMT) Received: from mail-relay4.mirrorimage.net (mail-relay4.mirrorimage.net [209.58.140.15]) by mx1.FreeBSD.org (Postfix) with ESMTP id C746643D2D for ; Mon, 10 Jan 2005 20:00:47 +0000 (GMT) (envelope-from FreeBSD@keyslapper.org) Received: from localhost (unknown [10.10.4.59]) by mail-relay4.mirrorimage.net (Postfix) with SMTP id 363156928B for ; Mon, 10 Jan 2005 15:00:47 -0500 (EST) Received: by localhost (sSMTP sendmail emulation); Mon, 10 Jan 2005 15:00:55 -0500 Date: Mon, 10 Jan 2005 15:00:55 -0500 From: Louis LeBlanc To: freebsd-questions@freebsd.org Message-ID: <20050110200055.GF7456@keyslapper.org> Mail-Followup-To: freebsd-questions@freebsd.org References: <20050110172303.GA7456@keyslapper.org> <7b3c7f0b0501101142223c3e36@mail.gmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <7b3c7f0b0501101142223c3e36@mail.gmail.com> User-Agent: Mutt/1.5.6i Subject: Re: Blacklisting IPs X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: freebsd-questions@FreeBSD.org List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 10 Jan 2005 20:00:48 -0000 On 01/10/05 07:42 PM, Jez Hancock sat at the `puter and typed: > On Mon, 10 Jan 2005 12:23:04 -0500, Louis LeBlanc > wrote: > > On 01/10/05 12:20 AM, artware sat at the `puter and typed: > > > Hello again, > > > > > > My 5.3R system has only been up a little over a week, and I've already > > > had a few breakin attempts -- they show up as Illegal user tests in > > > the /var/log/auth.log... It looks like they're trying common login > > > names (probably with the login name used as passwd). It takes them > > > hours to try a dozen names, but I'd rather not have any traffic from > > > these folks. Is there any way to blacklist IPs at the system level, or > > > do I have to hack something together for each daemon? > > > > > > The best defense is a good firewall, good passwords, and restriction of > > user ids that may login remotely. > > I started blocking the addresses that attacked but the frequency of > the attacks made it impractical to add every attacking address to the > firewall ruleset. I came to the conclusion that as long as the items > you mention above are in place - especially good passwords - and the > attacks aren't saturating the connection, then there's little to worry > about - perhaps on a par with portscanning. You're right there, but I figure I'm going to get hundreds or thousands of IPs if I block the CIDR spec. It's a little heavy handed, but those networks will often beget dozens of attacks over a space of a couple weeks sometimes, and often no two come from the same IP. Whether it's the same system is anyones guess, but unless they get a new provider, they have no access to my system. > Another fairly simple option though is to just change the port that > sshd listens on since the attacks presume that sshd is listening on > port 22. Not always practical though if you have lots of users. I've seen this recommended here many times. I haven't done it because I work on too many systems that I don't have that kind of control over, and I don't need to confuse myself with nonstandard configs. I already have 2 or 3 dozen passwords to remember :| Lou -- Louis LeBlanc FreeBSD@keyslapper.org Fully Funded Hobbyist, KeySlapper Extrordinaire :) http://www.keyslapper.org ԿԬ I have yet to see any problem, however complicated, which, when you looked at it in the right way, did not become still more complicated. -- Poul Anderson