RE: Blacklisting IPs
> -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of artware > Sent: Tuesday, January 11, 2005 2:06 PM > To: freebsd-questions@freebsd.org > Subject: Re: Blacklisting IPs > > > These types of attacks don't seem directed -- it's more like fishing > for unprotected systems. > > FWIW, changing the ssh port dropped the illegal user attempts > to 0 instantly... > I'm sure it did, why does that matter though? Your not intending to run an unprotected system? The point was that your no more secure than you were previously. Fishing attempts aren't what you need to worry about being protected from. Ted ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Blacklisting IPs
On Tuesday 11 January 2005 12:46 am, artware wrote: > Thanks for the input, everyone! Port-knocking is overkill at this > point, but I did do the following things to sshd_config: > > Set port to non-default > PermitRootLogin no > LoginGraceTime 45s > AllowUsers lists only one user -- me. :) > > I also did route -nq add -host xxx.xxx.xxx.xxx 127.0.0.1 -blackhole... > > I think telnet was disabled by default in the base 5.3 install... > > I know this attack was probably random, but the whole reason I took > over as sysadmin and switched to FreeBSD is that our RHE box was being > broken into almost nightly -- so I'm sensitive to security concerns. > Is there anything else I should consider doing to the stock FreeBSD to > fortify it? It already feels about 100 times more secure than RH... You might consider using pf as a stateful packet filter. You could for example limit SSH connections to certain ip addresses, redirect connections at port 25 to spamd, etc, etc. There's a very good user's guide & overview of pf at: http://www.openbsd.org/faq/pf/index.html Jay ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Blacklisting IPs
it was said: >These types of attacks don't seem directed -- it's more like fishing >for unprotected systems. > >FWIW, changing the ssh port dropped the illegal user attempts to 0 >instantly... > >- ben > >On Mon, 10 Jan 2005 23:29:10 -0800, Ted Mittelstaedt > ><[EMAIL PROTECTED]> wrote: >> If I'm going to attack you I'm going to use nessus to scan all >> ports on your machine. Hello, Too many break-in attempts come from cracked Windows boxes running script bots to make reporting these attempts practical, so I changed my ssh port to a non-standard one. Now, if I see a break-in attempt, I block the /21 the attacking IP falls into and report it to the relevant ISP/network admin because I know a black hat has taken a personal interest in my network. Regards, Stheg __ Do you Yahoo!? Yahoo! Mail - Helps protect you from nasty viruses. http://promotions.yahoo.com/new_mail ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Blacklisting IPs
These types of attacks don't seem directed -- it's more like fishing for unprotected systems. FWIW, changing the ssh port dropped the illegal user attempts to 0 instantly... - ben On Mon, 10 Jan 2005 23:29:10 -0800, Ted Mittelstaedt <[EMAIL PROTECTED]> wrote: > If I'm going to attack you I'm going to use nessus to scan all > ports on your machine. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Blacklisting IPs
Hi, It's best to report them and it's not hard to do it. There are automated tools that will do it. I would be very interested in setting up such a tool on my server as well. My passwords are not easy to guess, and root is not allowed to login anyways, and changes are extremely slim that someone will guess the one and only username/password combination that is actually allowed to SSH and to su -. Nonetheless, I find it annoying that some kids with nothing better to do download these stupid brute force tools in order to call themselves hackers. Duh! Therefore, I could well do without having 22,000 lines of failed attempts in my securityy logs (though as of late they haven't been that long), and I wouldn't mind reporting the critters to their ISPs. Does anyone have a good suggestion for such a tool? It would be cool if the tool could spot such brute force attempts, and when it sees e.g. more than 5 failed attempts from the same IP within say 5 minutes of time, it would blacklist the IP, and would automatically report the crack attempt to the ISP of the critters. Anyone? Cheerz! Olafo ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Blacklisting IPs
Ted Mittelstaedt wrote: -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Chris Sent: Monday, January 10, 2005 4:07 PM To: artware Cc: freebsd-questions@freebsd.org Subject: Re: Blacklisting IPs artware wrote: Hello again, My 5.3R system has only been up a little over a week, and I've already had a few breakin attempts -- they show up as Illegal user tests in the /var/log/auth.log... It looks like they're trying common login names (probably with the login name used as passwd). It takes them hours to try a dozen names, but I'd rather not have any traffic from these folks. Is there any way to blacklist IPs at the system level, or do I have to hack something together for each daemon? - ben ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]" Here's what I do - as root: route -nq add -host xxx.xxx.xxx.xxx 127.0.0.1 -blackhole To the attacker, it looks as if you dropped off the net. This actually isn't the best advice since the incoming packets from the attacker are still using up your bandwidth. It's best to report them and it's not hard to do it. There are automated tools that will do it. As the CTO of an ISP let me tell you that we get about 1 of those reports every few months - that is how few people are reporting them - and we look closely at every one of them. This isn't a situation where the abuse departments of most ISP's are overflowing with so many network abuse notifications that they aren't interested in getting more of them. I've had these showing up in my auth.log since mid-December. Most of the time, my lookups have gone to domains registered in Elbonia and frankly I have my doubts about any administrators over there caring. The only Western abuse@ I found sent me an automated reply. I'm waiting to get one from Singapore---maybe I can get somebody caned... -- Carleton Vaughn College Park, Georgia, USA ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
RE: Blacklisting IPs
> -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of Jez Hancock > Sent: Monday, January 10, 2005 11:42 AM > To: freebsd-questions@freebsd.org > Subject: Re: Blacklisting IPs > > > Another fairly simple option though is to just change the port that > sshd listens on since the attacks presume that sshd is listening on > port 22. Not always practical though if you have lots of users. > If I'm going to attack you I'm going to use nessus to scan all ports on your machine. Ted ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
RE: Blacklisting IPs
> -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of Chris > Sent: Monday, January 10, 2005 4:07 PM > To: artware > Cc: freebsd-questions@freebsd.org > Subject: Re: Blacklisting IPs > > > artware wrote: > > Hello again, > > > > My 5.3R system has only been up a little over a week, and > I've already > > had a few breakin attempts -- they show up as Illegal user tests in > > the /var/log/auth.log... It looks like they're trying common login > > names (probably with the login name used as passwd). It takes them > > hours to try a dozen names, but I'd rather not have any traffic from > > these folks. Is there any way to blacklist IPs at the system > level, or > > do I have to hack something together for each daemon? > > > > - ben > > ___ > > freebsd-questions@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > > To unsubscribe, send any mail to > "[EMAIL PROTECTED]" > > > > > > Here's what I do - > > as root: route -nq add -host xxx.xxx.xxx.xxx 127.0.0.1 -blackhole > > To the attacker, it looks as if you dropped off the net. > > This actually isn't the best advice since the incoming packets from the attacker are still using up your bandwidth. It's best to report them and it's not hard to do it. There are automated tools that will do it. As the CTO of an ISP let me tell you that we get about 1 of those reports every few months - that is how few people are reporting them - and we look closely at every one of them. This isn't a situation where the abuse departments of most ISP's are overflowing with so many network abuse notifications that they aren't interested in getting more of them. Now spam notifications - that's a different issue - few people reporting spam know how to do it properly nor how to figure out where to correctly report them, with the unfortunate result that they are quickly becoming useless. Only about 1 in 400 spam notifications I get a week nowadays are even indicating spam coming from our IP range, let alone indicating bona-fied spam. Going after wannabes that are using our service to try breaking into other computers is one of the enjoyable parts of my job, to be honest. It's a lot more fun then sending out form e-mails to spam reports saying some polite variation of "look at the source IP number that spam orginated from not the domain name, dumbass" Ted ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Blacklisting IPs
Thanks for the input, everyone! Port-knocking is overkill at this point, but I did do the following things to sshd_config: Set port to non-default PermitRootLogin no LoginGraceTime 45s AllowUsers lists only one user -- me. :) I also did route -nq add -host xxx.xxx.xxx.xxx 127.0.0.1 -blackhole... I think telnet was disabled by default in the base 5.3 install... I know this attack was probably random, but the whole reason I took over as sysadmin and switched to FreeBSD is that our RHE box was being broken into almost nightly -- so I'm sensitive to security concerns. Is there anything else I should consider doing to the stock FreeBSD to fortify it? It already feels about 100 times more secure than RH... - ben ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Blacklisting IPs
artware wrote: Hello again, My 5.3R system has only been up a little over a week, and I've already had a few breakin attempts -- they show up as Illegal user tests in the /var/log/auth.log... It looks like they're trying common login names (probably with the login name used as passwd). It takes them hours to try a dozen names, but I'd rather not have any traffic from these folks. Is there any way to blacklist IPs at the system level, or do I have to hack something together for each daemon? - ben ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]" Here's what I do - as root: route -nq add -host xxx.xxx.xxx.xxx 127.0.0.1 -blackhole To the attacker, it looks as if you dropped off the net. -- Best regards, Chris To save disk space in your home directory, compress files you rarely use with "gzip filename". -- Dru <[EMAIL PROTECTED]> ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Blacklisting IPs
On January 10, 2005 01:20 am, artware wrote: > My 5.3R system has only been up a little over a week, and I've already > had a few breakin attempts -- they show up as Illegal user tests in > the /var/log/auth.log... It looks like they're trying common login > names (probably with the login name used as passwd). It takes them > hours to try a dozen names, but I'd rather not have any traffic from > these folks. Is there any way to blacklist IPs at the system level, or > do I have to hack something together for each daemon? i have three suggestions for this: 1) edit sshd_config to set PermitRootLogin to "no". since root is the only user on your system that obviously exists elsewhere, this is a nice start 2) setup sshd to allow connections with keys only. then go buy yourself a usb key and keep your private key on there when you connect. 3) use a port-knocking daemon: http://www.portknocking.org/ http://www.zeroflux.org/knock/ -- those who say it cannot be done should not interrupt the person doing it - unknown ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Blacklisting IPs
Louis LeBlanc wrote: On 01/10/05 12:20 AM, artware sat at the `puter and typed: My 5.3R system has only been up a little over a week, and I've already had a few breakin attempts -- they show up as Illegal user tests in the /var/log/auth.log... It looks like they're trying common login names (probably with the login name used as passwd). It takes them hours to try a dozen names, but I'd rather not have any traffic from these folks. Is there any way to blacklist IPs at the system level, or do I have to hack something together for each daemon? I get this all the time too. I'm sure anyone with a *nix system on the net does. I have two boxes, one allows password authentication, and I also see these attempts. the other only accepts login with ssh-keys and I see no such activity. I'm sure after reading this, someone else will post another favorite password generation method, including the numerous ports available - I'd like to see one that checks the security of a password rather than just generating them. yeah, close your eyes, hit the keyboard with all 10 fingers and your nose and see what comes out: ac0e48 amæifljasc4å0w(V4 ok - I admit, I didn't hit the keyboard with my nose, but it's absolutely not a dictionary word :-) As for the firewall and the originating IP, I follow a plain process: Check the whois record of the offending IP If the IP is in Asia, Russia, or Nigeria, I drop the CIDR spec into my firewall table and never hear from anyone on the network again. The CIDER spec is part of the whois record If the IP is in Western Europe or North America, I notify the abuse address to inform them they either have a cracker or a cracked system. This practice has reduced these attempts considerably. Each time I see another, I add it to the blocked table (I use pf, not ipfw). If it's a problem, try to reverse your thinking, why are you allowing access from everywhere in the first place? It is far easier to list the ranges you know your users will be logging in from than try to block these occasional events that never happens from the same source. If you are serving a university campus it's likely not an option to block of specific countries or continents, but if it's your SOHO I see no reason you should leave the doors open from ranges you know can only be intruders. If interested, I have a script for picking out countries from the delegation lists: www.daemonsecurity.com/src/ip-rules.pl Go ahead and hack it to create the rules you need. Cheers, Erik -- Ph: +34.666334818 web: www.locolomo.org S/MIME Certificate: http://www.locolomo.org/crt/2004071206.crt Subject ID: A9:76:7A:ED:06:95:2B:8D:48:97:CE:F2:3F:42:C8:F2:22:DE:4C:B9 Fingerprint: 4A:E8:63:38:46:F6:9A:5D:B4:DC:29:41:3F:62:D3:0A:73:25:67:C2 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Blacklisting IPs
On 01/10/05 07:42 PM, Jez Hancock sat at the `puter and typed: > On Mon, 10 Jan 2005 12:23:04 -0500, Louis LeBlanc > <[EMAIL PROTECTED]> wrote: > > On 01/10/05 12:20 AM, artware sat at the `puter and typed: > > > Hello again, > > > > > > My 5.3R system has only been up a little over a week, and I've already > > > had a few breakin attempts -- they show up as Illegal user tests in > > > the /var/log/auth.log... It looks like they're trying common login > > > names (probably with the login name used as passwd). It takes them > > > hours to try a dozen names, but I'd rather not have any traffic from > > > these folks. Is there any way to blacklist IPs at the system level, or > > > do I have to hack something together for each daemon? > > > > > > The best defense is a good firewall, good passwords, and restriction of > > user ids that may login remotely. > > I started blocking the addresses that attacked but the frequency of > the attacks made it impractical to add every attacking address to the > firewall ruleset. I came to the conclusion that as long as the items > you mention above are in place - especially good passwords - and the > attacks aren't saturating the connection, then there's little to worry > about - perhaps on a par with portscanning. You're right there, but I figure I'm going to get hundreds or thousands of IPs if I block the CIDR spec. It's a little heavy handed, but those networks will often beget dozens of attacks over a space of a couple weeks sometimes, and often no two come from the same IP. Whether it's the same system is anyones guess, but unless they get a new provider, they have no access to my system. > Another fairly simple option though is to just change the port that > sshd listens on since the attacks presume that sshd is listening on > port 22. Not always practical though if you have lots of users. I've seen this recommended here many times. I haven't done it because I work on too many systems that I don't have that kind of control over, and I don't need to confuse myself with nonstandard configs. I already have 2 or 3 dozen passwords to remember :| Lou -- Louis LeBlanc [EMAIL PROTECTED] Fully Funded Hobbyist, KeySlapper Extrordinaire :) http://www.keyslapper.org ԿԬ I have yet to see any problem, however complicated, which, when you looked at it in the right way, did not become still more complicated. -- Poul Anderson ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Blacklisting IPs
On Mon, 10 Jan 2005 12:23:04 -0500, Louis LeBlanc <[EMAIL PROTECTED]> wrote: > On 01/10/05 12:20 AM, artware sat at the `puter and typed: > > Hello again, > > > > My 5.3R system has only been up a little over a week, and I've already > > had a few breakin attempts -- they show up as Illegal user tests in > > the /var/log/auth.log... It looks like they're trying common login > > names (probably with the login name used as passwd). It takes them > > hours to try a dozen names, but I'd rather not have any traffic from > > these folks. Is there any way to blacklist IPs at the system level, or > > do I have to hack something together for each daemon? > > > The best defense is a good firewall, good passwords, and restriction of > user ids that may login remotely. I started blocking the addresses that attacked but the frequency of the attacks made it impractical to add every attacking address to the firewall ruleset. I came to the conclusion that as long as the items you mention above are in place - especially good passwords - and the attacks aren't saturating the connection, then there's little to worry about - perhaps on a par with portscanning. Another fairly simple option though is to just change the port that sshd listens on since the attacks presume that sshd is listening on port 22. Not always practical though if you have lots of users. -- Jez Hancock - System Administrator / PHP Developer http://munk.nu/ http://freebsd.munk.nu/ - A FreeBSD Diary http://ipfwstats.sf.net/- ipfw peruser traffic logging ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Blacklisting IPs
On 01/10/05 06:04 PM, John Conover sat at the `puter and typed: > Louis LeBlanc writes: > > > > A practice one of my former co-workers liked was to pick a song and pull > > letters out; take Fleetwood Mac: "Don't Stop Thinking About Tomorrow". > > You could get "DSTAT", turn that into something else, like "dSt4T". > > Pretty short, but definitely not a dictionary word. You could even take > > more letters from the next line" "Don't Stop, It'll Soon Be Here" and get > > "dSt4TDs1SbH", or any number of derivations. If you forget the actual > > password, your song is an excellent hint. > > > > I think that comes from RFC1244, (Site Security Handbook,) which is a > pretty good security SOP for *_general_* 'Net users. > > The stuff 1244 suggests is not perfect, by any means, but is a > relatively good compromise between security, usability, and > operational costs. > > For example, to keep sysadmin phone calls on forgotten passwds to a > minimum, 1244 suggests the words in a user's favorite song, ('cause > folk's minds remember the words,) to seven letters-maybe with > capitalization. For example, if the "Star Spangled Banner" is the > 'fav, then a passwd would be "oH#saY#caN#". > > If logins must be updated periodically, then the user's next passwd > would be, "yoU#See", and so on. > > Its certainly not perfect[1], but its cheap to administer, easy to > use, etc., and realatively hard to crack by algorithmic means-at least > without filling up the log files, giving the sysadm a "heads up" to > type something beginning with "block ..." > > 1244 has a lot of cute little security things like that. > > John > > [1] Yea, I've tried a passwd policy of denied vowel-consonant > relationships, (e.g., words.) Not only did I have a lot of phone calls > on forgotten passwds, I gained credentials as an English teacher. LOL. I understand completely. BTW, a quick search yielded an update to 1244: 2196, which can be found here: http://www.faqs.org/rfcs/rfc2196.html Thanks. Lou -- Louis LeBlanc [EMAIL PROTECTED] Fully Funded Hobbyist, KeySlapper Extrordinaire :) http://www.keyslapper.org ԿԬ The following statement is not true. The previous statement is true. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Blacklisting IPs
Louis LeBlanc writes: > > A practice one of my former co-workers liked was to pick a song and pull > letters out; take Fleetwood Mac: "Don't Stop Thinking About Tomorrow". > You could get "DSTAT", turn that into something else, like "dSt4T". > Pretty short, but definitely not a dictionary word. You could even take > more letters from the next line" "Don't Stop, It'll Soon Be Here" and get > "dSt4TDs1SbH", or any number of derivations. If you forget the actual > password, your song is an excellent hint. > I think that comes from RFC1244, (Site Security Handbook,) which is a pretty good security SOP for *_general_* 'Net users. The stuff 1244 suggests is not perfect, by any means, but is a relatively good compromise between security, usability, and operational costs. For example, to keep sysadmin phone calls on forgotten passwds to a minimum, 1244 suggests the words in a user's favorite song, ('cause folk's minds remember the words,) to seven letters-maybe with capitalization. For example, if the "Star Spangled Banner" is the 'fav, then a passwd would be "oH#saY#caN#". If logins must be updated periodically, then the user's next passwd would be, "yoU#See", and so on. Its certainly not perfect[1], but its cheap to administer, easy to use, etc., and realatively hard to crack by algorithmic means-at least without filling up the log files, giving the sysadm a "heads up" to type something beginning with "block ..." 1244 has a lot of cute little security things like that. John [1] Yea, I've tried a passwd policy of denied vowel-consonant relationships, (e.g., words.) Not only did I have a lot of phone calls on forgotten passwds, I gained credentials as an English teacher. -- John Conover, [EMAIL PROTECTED], http://www.johncon.com/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Blacklisting IPs
On 01/10/05 12:20 AM, artware sat at the `puter and typed: > Hello again, > > My 5.3R system has only been up a little over a week, and I've already > had a few breakin attempts -- they show up as Illegal user tests in > the /var/log/auth.log... It looks like they're trying common login > names (probably with the login name used as passwd). It takes them > hours to try a dozen names, but I'd rather not have any traffic from > these folks. Is there any way to blacklist IPs at the system level, or > do I have to hack something together for each daemon? I get this all the time too. I'm sure anyone with a *nix system on the net does. The source is a script, often run on a system that has already been compromised. Probably an attempt to crack hosting systems that provide shell accounts to users - often they don't use very good passwords. I vaguely remember reading somewhere that there was an old Linux vulnerability that they were attempting to exploit too. The best defense is a good firewall, good passwords, and restriction of user ids that may login remotely. Check /etc/login.access. You can define subnets from which groups of users are allowed to login, prohibit remote login, etc. I have only one account that can login remotely, and I use a fairly secure password for it - meaning not even remotely a dictionary word, even with the vowel transforms. A practice one of my former co-workers liked was to pick a song and pull letters out; take Fleetwood Mac: "Don't Stop Thinking About Tomorrow". You could get "DSTAT", turn that into something else, like "dSt4T". Pretty short, but definitely not a dictionary word. You could even take more letters from the next line" "Don't Stop, It'll Soon Be Here" and get "dSt4TDs1SbH", or any number of derivations. If you forget the actual password, your song is an excellent hint. You get the idea. You can take this idea and apply it in a number of ways to a number of subjects, concepts, etc. I'm sure after reading this, someone else will post another favorite password generation method, including the numerous ports available - I'd like to see one that checks the security of a password rather than just generating them. As for the firewall and the originating IP, I follow a plain process: Check the whois record of the offending IP If the IP is in Asia, Russia, or Nigeria, I drop the CIDR spec into my firewall table and never hear from anyone on the network again. The CIDER spec is part of the whois record If the IP is in Western Europe or North America, I notify the abuse address to inform them they either have a cracker or a cracked system. This practice has reduced these attempts considerably. Each time I see another, I add it to the blocked table (I use pf, not ipfw). Many systems will not have the CIDR blocking option available, but I have no expectation of legitimate traffic from areas that I do block. If you have paying customers, you have to just deal with it and try to lock things down in other ways. Lou -- Louis LeBlanc [EMAIL PROTECTED] Fully Funded Hobbyist, KeySlapper Extrordinaire :) http://www.keyslapper.org ԿԬ The first thing we do, let's kill all the lawyers. -- Wm. Shakespeare, "Henry VI", Part IV ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Blacklisting IPs
artware wrote: Hello again, My 5.3R system has only been up a little over a week, and I've already had a few breakin attempts -- they show up as Illegal user tests in the /var/log/auth.log... It looks like they're trying common login names (probably with the login name used as passwd). It takes them hours to try a dozen names, but I'd rather not have any traffic from these folks. Is there any way to blacklist IPs at the system level, or do I have to hack something together for each daemon? - ben /etc/hosts.allow? There were a lot of varying ideas in a thread titled "blacklisting failed ssh attempts on this list about Dec. 1st --- perhaps you can gain some wisdom there. I don't know that it's much to worry about, just a bot looking for lame passwords on Linux boxen. There are a number of possible responses, and the likelihood of a successful "attack" via this mechanism seems slim Kevin Kinsey ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Blacklisting IPs
I have the same problem - numerous attempts to crack accounts like "admin", Guest", "test", and so on. If it continually comes from the same IP, blocking that IP at the firewall should do the trick. However, if the attempts come from varying IPs and you intend to allow logins from the Internet, then you'd need to block out an unwieldy number of IP addresses. The best bet in this case is to make sure your system is as secure as possible. Disable telnet and allow only ssh logins. Make sure you use strong passwords, or better, try one time passwords. (See the handbook.) I use ssh, no telnet from outside the lan, with ssh restricted to allow only certain users/groups to login, and all those groups use opie for one time passwords. In addition, the firewall (I use IPF) is pretty tight, only allowing through the services I want available outside the lan. I do seem to recall a scheme that detects such things as port scans and automagically adds a rule to the firewall to block the offending IP address, but I doubt that would help in your case. One other thing I have done: Since a great many of the attempts come from IPs that resolve to the "pl" top level domain, I've just blocked any ip address that resolves to that domain altogether. I don't really expect any interest in my web site to come from Poland, so the action is feasible for me. I'm certain that others on the list will come up with better methods, but I just wanted to toss in my 2 cents worth. Gene artware wrote: Hello again, My 5.3R system has only been up a little over a week, and I've already had a few breakin attempts -- they show up as Illegal user tests in the /var/log/auth.log... It looks like they're trying common login names (probably with the login name used as passwd). It takes them hours to try a dozen names, but I'd rather not have any traffic from these folks. Is there any way to blacklist IPs at the system level, or do I have to hack something together for each daemon? - ben ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]" ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Blacklisting IPs
Hello again, My 5.3R system has only been up a little over a week, and I've already had a few breakin attempts -- they show up as Illegal user tests in the /var/log/auth.log... It looks like they're trying common login names (probably with the login name used as passwd). It takes them hours to try a dozen names, but I'd rather not have any traffic from these folks. Is there any way to blacklist IPs at the system level, or do I have to hack something together for each daemon? - ben ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"