Re: Auto Populating Blocked IP's List
From: Bill Vermillion (bv_at_wjv.com)
Date: 10/16/04
- Next message: Dave Uhring: "Re: Installing FreeBSD on a Sun Ultra 1 via serial console?"
- Previous message: Torfinn Ingolfsen: "Re: Installing FreeBSD on a Sun Ultra 1 via serial console?"
- In reply to: james
hal-pc.org: "Re: Auto Populating Blocked IP's List" - Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Date: Sat, 16 Oct 2004 17:55:01 GMT
In article <416cb270$0$451$a726171b@news.hal-pc.org>, james <at> wrote:
>Larry Fowkes wrote:
>> I have a server running FreeBSD 4.9 which is used mostly as a
>> safe offsite storage area for personal and business related
>> files for myself and some friends. It is installed at a CO-LO
>> facility where a good friend was gracious enough to give me 1U
>> of free rack space in his cabinet.
>> Lately the number of attempted logins from outsiders has
>> gotten out of hand. Each day the security output has hundreds,
>> sometimes thousands of attempted ssh and ftp logins. I am a
>> believer in good strong passwords, so far nobody has been able
>> to come up with one. What I would like to add is some type of
>> script that after say 5 failed log in attempts, the ip address
>> in question is permanently blocked until manually unblocked
>> by myself. I had thought of just creating a list of allowed
>> IP's but since I and others connect from various places it
>> would be problematic. Any advice or suggestions would be much
>> appreciated.
I've been seeing a lot of those in the past 4-6 months too.
>ever thought of doing a whois on some of the IPs in question and
>reporting it to abuse@domain?? you'd be supprised how fast it
>stops (depending on the ISP). just provide detailed logs.
Since most often the attempts on the machines I admin are coming
out of South Korea I didn't even bother.
I just checked my security logs - which I save - and I see
attempts from England, Korea (several blocks from different ISPs],
China and Austrailia. I see the major attacks started on July 13
of this year.
The earlies attacks were trying to almost invariably login as
admin, test, or guest. Then they lightened up for awhile and
now they are almost always trying to come in as root - and there is
no way root can login to any machine unless they are at the
keyboard in the colo - and that place is extremly secure - with
every rack having it's own lock on it.
>I agree with Conrad though. block all but specific IPs or ranges
>of IPs. get with those people that need access and find out the
>IP blocks their ISP is handing out and allow only those.
If things are tightened down is that going to be neccesary? The
machine I have getting most of the hits also had one domain that
was getting in excess of 300,000 spams per day. I finally removed
all the MX records, which cut it to about 50K day, until I put an
MX back in with an address of 127.0.0.1. Not nice - but ti cut it
down to about 50 day.
Bill
-- Bill Vermillion - bv @ wjv . com
- Next message: Dave Uhring: "Re: Installing FreeBSD on a Sun Ultra 1 via serial console?"
- Previous message: Torfinn Ingolfsen: "Re: Installing FreeBSD on a Sun Ultra 1 via serial console?"
- In reply to: james
hal-pc.org: "Re: Auto Populating Blocked IP's List" - Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
