Date: Mon, 10 Jan 2005 21:10:42 +0100 From: Erik Norgaard <norgaard@locolomo.org> To: freebsd-questions@FreeBSD.org Subject: Re: Blacklisting IPs Message-ID: <41E2E142.3010901@locolomo.org> In-Reply-To: <20050110172303.GA7456@keyslapper.org> References: <fd091951050109222052228399@mail.gmail.com> <20050110172303.GA7456@keyslapper.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Louis LeBlanc wrote:
> On 01/10/05 12:20 AM, artware sat at the `puter and typed:
>>My 5.3R system has only been up a little over a week, and I've already
>>had a few breakin attempts -- they show up as Illegal user tests in
>>the /var/log/auth.log... It looks like they're trying common login
>>names (probably with the login name used as passwd). It takes them
>>hours to try a dozen names, but I'd rather not have any traffic from
>>these folks. Is there any way to blacklist IPs at the system level, or
>>do I have to hack something together for each daemon?
>
>
> I get this all the time too. I'm sure anyone with a *nix system on the
> net does.
I have two boxes, one allows password authentication, and I also see
these attempts. the other only accepts login with ssh-keys and I see no
such activity.
> I'm sure after reading this, someone else will post another favorite
> password generation method, including the numerous ports available - I'd
> like to see one that checks the security of a password rather than just
> generating them.
yeah, close your eyes, hit the keyboard with all 10 fingers and your
nose and see what comes out: ac0e48 amæifljasc4å0w(V4 ok - I admit, I
didn't hit the keyboard with my nose, but it's absolutely not a
dictionary word :-)
> As for the firewall and the originating IP, I follow a plain process:
>
> Check the whois record of the offending IP
> If the IP is in Asia, Russia, or Nigeria, I drop the CIDR spec into my
> firewall <BLOCKED> table and never hear from anyone on the network
> again. The CIDER spec is part of the whois record
> If the IP is in Western Europe or North America, I notify the abuse
> address to inform them they either have a cracker or a cracked
> system.
>
> This practice has reduced these attempts considerably. Each time I see
> another, I add it to the blocked table (I use pf, not ipfw).
If it's a problem, try to reverse your thinking, why are you allowing
access from everywhere in the first place? It is far easier to list the
ranges you know your users will be logging in from than try to block
these occasional events that never happens from the same source.
If you are serving a university campus it's likely not an option to
block of specific countries or continents, but if it's your SOHO I see
no reason you should leave the doors open from ranges you know can only
be intruders.
If interested, I have a script for picking out countries from the
delegation lists:
www.daemonsecurity.com/src/ip-rules.pl
Go ahead and hack it to create the rules you need.
Cheers, Erik
--
Ph: +34.666334818 web: www.locolomo.org
S/MIME Certificate: http://www.locolomo.org/crt/2004071206.crt
Subject ID: A9:76:7A:ED:06:95:2B:8D:48:97:CE:F2:3F:42:C8:F2:22:DE:4C:B9
Fingerprint: 4A:E8:63:38:46:F6:9A:5D:B4:DC:29:41:3F:62:D3:0A:73:25:67:C2
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?41E2E142.3010901>