On 20/03/10 23:17, Vadkan Jozsef wrote:
What's the best method to ban that ip [what is bruteforcig a server]
what was logged on the logger?
I need to ban the ip on the router pc.
Take your time to think about if this is indeed the right solution.
1st: You need to decide which is the right policy to deploy. Basically
you can opt for a default deny or a default allow. With default deny you
create white lists for the exceptions that should be allows. With
default allow you create black lists. Default deny and default allow
roughly corresponds to the policies of OpenBSD vs. Microsoft Windows.
So, when is white listing an option? When you have a limited set of
exceptions, for example your local users that need ssh access. If this
set is limited consider deploying default deny. On the other hand, this
is not an option for your web service that you wish to provide for
anyone anywhere.
Blacklisting is futile (think, did anti-virus solve the virus problem?).
Intruders may attempt to connect from anywhere, blocking a single IP
won't solve your problem, most likely the next attempt will not come
from that IP. This is because these attacks may be launched from a
number of compromised pc's and because the attacking pc may have
dynamically assigned address. So you need to block entire ranges, but
which?
I recently analysed my maillog to see where attempted spammers connected
from. I found some 3500 hosts in 1600 ranges (using whois lookup). These
ranges being typically /16. I haven't tried with ssh but I doubt it
would be much different.
If on top of this you make some auto-respond system, you expose yourself
to a denial of service attack, blindly blocking anything that creates a
log entry.
Whether you use white or black listing this is effective only if you can
make informed decisions. If you don't do business with say China and you
know that 25% of all spam originates from China, it is only rational to
block access from China.
But, whenever possible, use white listing.
BR, Erik
--
Erik Nørgaard
Ph: +34.666334818/+34.915211157 http://www.locolomo.org
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org