Re: Blacklisting IPs
From: Gene (listmail_at_Bomgardner.net)
Date: 01/10/05
- Previous message: Olivier Nicole: "HP Netserver 60 will not boot"
- In reply to: artware: "Blacklisting IPs"
- Next in thread: Kevin Kinsey: "Re: Blacklisting IPs"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Date: Mon, 10 Jan 2005 01:39:29 -0600 To: artware <artware@gmail.com>
I have the same problem - numerous attempts to crack accounts like
"admin", Guest", "test", and so on.
If it continually comes from the same IP, blocking that IP at the
firewall should do the trick.
However, if the attempts come from varying IPs and you intend to allow
logins from the Internet, then you'd need to block out an unwieldy
number of IP addresses. The best bet in this case is to make sure your
system is as secure as possible. Disable telnet and allow only ssh
logins. Make sure you use strong passwords, or better, try one time
passwords. (See the handbook.) I use ssh, no telnet from outside the
lan, with ssh restricted to allow only certain users/groups to login,
and all those groups use opie for one time passwords. In addition, the
firewall (I use IPF) is pretty tight, only allowing through the services
I want available outside the lan.
I do seem to recall a scheme that detects such things as port scans and
automagically adds a rule to the firewall to block the offending IP
address, but I doubt that would help in your case.
One other thing I have done: Since a great many of the attempts come
from IPs that resolve to the "pl" top level domain, I've just blocked
any ip address that resolves to that domain altogether. I don't really
expect any interest in my web site to come from Poland, so the action is
feasible for me.
I'm certain that others on the list will come up with better methods,
but I just wanted to toss in my 2 cents worth.
Gene
artware wrote:
>Hello again,
>
>My 5.3R system has only been up a little over a week, and I've already
>had a few breakin attempts -- they show up as Illegal user tests in
>the /var/log/auth.log... It looks like they're trying common login
>names (probably with the login name used as passwd). It takes them
>hours to try a dozen names, but I'd rather not have any traffic from
>these folks. Is there any way to blacklist IPs at the system level, or
>do I have to hack something together for each daemon?
>
>- ben
>_______________________________________________
>freebsd-questions@freebsd.org mailing list
>http://lists.freebsd.org/mailman/listinfo/freebsd-questions
>To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"
>
>
>
>
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"
- Previous message: Olivier Nicole: "HP Netserver 60 will not boot"
- In reply to: artware: "Blacklisting IPs"
- Next in thread: Kevin Kinsey: "Re: Blacklisting IPs"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
