Re: Simplest way to deny access to a class C
On 4 March 2011 02:43, Jorge Biquez jbiq...@intranet.com.mx wrote: Thank you all for your time and comments. I guess that I will install a firewall, that way I can also block those Class C's from sending tons of emails to non existing accounts I will read the website to see the best options. Any suggestion is more than welcome. Jorge Biquez At 06:02 p.m. 03/03/2011, you wrote: Be careful of automated responses. What if someone spoofs IP's of legit users / customers / whatever and your automated response blocks them? Not good. I thought about blockingwell, never mind - might pi$$ someone off and attract unwanted attention... -Original Message- From: owner-freebsd-questi...@freebsd.org [mailto: owner-freebsd-questi...@freebsd.org] On Behalf Of Patrick Gibson Sent: Thursday, March 03, 2011 5:58 PM To: Jorge Biquez Cc: freebsd-questions@freebsd.org Subject: Re: Simplest way to deny access to a class C You might consider mod_security (/usr/ports/www/mod_security) which can be set up to ban hosts based on behaviour or characteristics. Or fail2ban (/usr/ports/security/py-fail2ban) is really great, too, in that it scans whatever logs you want, and can trigger a block in your firewall if enough violating log entries are found within a particular period of time. Everything is totally configurable, and there are plenty of examples that come with it. Patrick On Thu, Mar 3, 2011 at 8:59 AM, Jorge Biquez jbiq...@intranet.com.mx wrote: Hello all. I am sorry in advance if this question sounds too stupid. I have a small server for personal use of webpages running: 7.3-PRERELEASE FreeBSD 7.3-PRERELEASE #0 it is working fine , no problem very stable. I just need to block some IP class C address that are always trying to discover directories or applications under the web server. They do not do and can not do anything since this server has nothing installed but i am tired of seeing in the logs all the intents they do every 2-3 seconds. I have not installed any kind of firewall yet. What do you think is the best way to accomplish this task? If possible the easiest one. I do not want to do anything else but just bloc IP's, at this moment at least. Thanks in advance. Jorge Biquez ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org font size=1 div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in' /div This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system. /font ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org you might wamt to look at geoip as well. you can open up services to specif regions then, or block other regions. Can be controversial though. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Simplest way to deny access to a class C
On Thu, Mar 3, 2011 at 4:02 PM, Gary Gatten ggat...@waddell.com wrote: Be careful of automated responses. What if someone spoofs IP's of legit users / customers / whatever and your automated response blocks them? Not good. Fortunately this is a relatively low risk with fail2ban, because to spoof a failed SSH connection you need to spoof a whole three-way TCP handshake.This could happen, but only if the attacker is on the same subnet as the affected customer or can intercept all their traffic for a man-in-the-middle attack. A bigger risk is customers fat-fingering their password repeatedly and locking themselves out. ;) ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Simplest way to deny access to a class C
fail2ban by default only bans an IP for 10 minutes, and that's configurable. It can also email you anytime it imposes a ban, so one can keep an eye on things at least in the beginning to see if it's causing a problem for legitimate users. On Thu, Mar 3, 2011 at 4:02 PM, Gary Gatten ggat...@waddell.com wrote: Be careful of automated responses. What if someone spoofs IP's of legit users / customers / whatever and your automated response blocks them? Not good. I thought about blockingwell, never mind - might pi$$ someone off and attract unwanted attention... -Original Message- From: owner-freebsd-questi...@freebsd.org [mailto:owner-freebsd-questi...@freebsd.org] On Behalf Of Patrick Gibson Sent: Thursday, March 03, 2011 5:58 PM To: Jorge Biquez Cc: freebsd-questions@freebsd.org Subject: Re: Simplest way to deny access to a class C You might consider mod_security (/usr/ports/www/mod_security) which can be set up to ban hosts based on behaviour or characteristics. Or fail2ban (/usr/ports/security/py-fail2ban) is really great, too, in that it scans whatever logs you want, and can trigger a block in your firewall if enough violating log entries are found within a particular period of time. Everything is totally configurable, and there are plenty of examples that come with it. Patrick On Thu, Mar 3, 2011 at 8:59 AM, Jorge Biquez jbiq...@intranet.com.mx wrote: Hello all. I am sorry in advance if this question sounds too stupid. I have a small server for personal use of webpages running: 7.3-PRERELEASE FreeBSD 7.3-PRERELEASE #0 it is working fine , no problem very stable. I just need to block some IP class C address that are always trying to discover directories or applications under the web server. They do not do and can not do anything since this server has nothing installed but i am tired of seeing in the logs all the intents they do every 2-3 seconds. I have not installed any kind of firewall yet. What do you think is the best way to accomplish this task? If possible the easiest one. I do not want to do anything else but just bloc IP's, at this moment at least. Thanks in advance. Jorge Biquez ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org font size=1 div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in' /div This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system. /font ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Simplest way to deny access to a class C
On Fri, Mar 4, 2011 at 7:14 PM, Patrick Gibson gibblert...@gmail.comwrote: fail2ban by default only bans an IP for 10 minutes, and that's configurable. It can also email you anytime it imposes a ban, so one can keep an eye on things at least in the beginning to see if it's causing a problem for legitimate users. On Thu, Mar 3, 2011 at 4:02 PM, Gary Gatten ggat...@waddell.com wrote: Be careful of automated responses. What if someone spoofs IP's of legit users / customers / whatever and your automated response blocks them? Not good. I thought about blockingwell, never mind - might pi$$ someone off and attract unwanted attention... -Original Message- From: owner-freebsd-questi...@freebsd.org [mailto: owner-freebsd-questi...@freebsd.org] On Behalf Of Patrick Gibson Sent: Thursday, March 03, 2011 5:58 PM To: Jorge Biquez Cc: freebsd-questions@freebsd.org Subject: Re: Simplest way to deny access to a class C You might consider mod_security (/usr/ports/www/mod_security) which can be set up to ban hosts based on behaviour or characteristics. Or fail2ban (/usr/ports/security/py-fail2ban) is really great, too, in that it scans whatever logs you want, and can trigger a block in your firewall if enough violating log entries are found within a particular period of time. Everything is totally configurable, and there are plenty of examples that come with it. Patrick On Thu, Mar 3, 2011 at 8:59 AM, Jorge Biquez jbiq...@intranet.com.mx wrote: Hello all. I am sorry in advance if this question sounds too stupid. I have a small server for personal use of webpages running: 7.3-PRERELEASE FreeBSD 7.3-PRERELEASE #0 it is working fine , no problem very stable. I just need to block some IP class C address that are always trying to discover directories or applications under the web server. They do not do and can not do anything since this server has nothing installed but i am tired of seeing in the logs all the intents they do every 2-3 seconds. I have not installed any kind of firewall yet. What do you think is the best way to accomplish this task? If possible the easiest one. I do not want to do anything else but just bloc IP's, at this moment at least. I wonder why nobodies mentioned a quite simple method with tcpwrappers and hosts.allow / hosts.deny also Thanks in advance. Jorge Biquez ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org font size=1 div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in' /div This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system. /font ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Simplest way to deny access to a class C
Check out portsentry perhaps? I used to use it quite a bit. Whenever someone would hit one of a number of defined ports, I'd automatically add a rule denying them in IPFW and also drop their route to a non-existent IP on my class C. On 03/04/11 16:14, Patrick Gibson wrote: fail2ban by default only bans an IP for 10 minutes, and that's configurable. It can also email you anytime it imposes a ban, so one can keep an eye on things at least in the beginning to see if it's causing a problem for legitimate users. On Thu, Mar 3, 2011 at 4:02 PM, Gary Gattenggat...@waddell.com wrote: Be careful of automated responses. What if someone spoofs IP's of legit users / customers / whatever and your automated response blocks them? Not good. I thought about blockingwell, never mind - might pi$$ someone off and attract unwanted attention... -Original Message- From: owner-freebsd-questi...@freebsd.org [mailto:owner-freebsd-questi...@freebsd.org] On Behalf Of Patrick Gibson Sent: Thursday, March 03, 2011 5:58 PM To: Jorge Biquez Cc: freebsd-questions@freebsd.org Subject: Re: Simplest way to deny access to a class C You might consider mod_security (/usr/ports/www/mod_security) which can be set up to ban hosts based on behaviour or characteristics. Or fail2ban (/usr/ports/security/py-fail2ban) is really great, too, in that it scans whatever logs you want, and can trigger a block in your firewall if enough violating log entries are found within a particular period of time. Everything is totally configurable, and there are plenty of examples that come with it. Patrick On Thu, Mar 3, 2011 at 8:59 AM, Jorge Biquezjbiq...@intranet.com.mx wrote: Hello all. I am sorry in advance if this question sounds too stupid. I have a small server for personal use of webpages running: 7.3-PRERELEASE FreeBSD 7.3-PRERELEASE #0 it is working fine , no problem very stable. I just need to block some IP class C address that are always trying to discover directories or applications under the web server. They do not do and can not do anything since this server has nothing installed but i am tired of seeing in the logs all the intents they do every 2-3 seconds. I have not installed any kind of firewall yet. What do you think is the best way to accomplish this task? If possible the easiest one. I do not want to do anything else but just bloc IP's, at this moment at least. Thanks in advance. Jorge Biquez ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org font size=1 div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in' /div This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system. /font ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org -- Dave Robison Sales Solution Architect II FIS Banking Solutions 510/621-2089 (w) 530/518-5194 (c) 510/621-2020 (f) da...@vicor.com david.robi...@fisglobal.com _ The information contained in this message is proprietary and/or confidential. If you are not the intended recipient, please: (i) delete the message and all copies; (ii) do not disclose, distribute or use the message in any manner; and (iii) notify the sender immediately. In addition, please be aware that any message addressed to our domain is subject to archiving and review by persons other than the intended recipient. Thank you. _ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Simplest way to deny access to a class C
I wonder why nobodies mentioned a quite simple method with tcpwrappers and hosts.allow / hosts.deny also Hello. I guess something simple could work For some reason, don ask me why becasue I did not find why, the: Order Deny, Allow Deny IP Allow all under httpd.conf and outsite as .htaccess does not work but for now teh thing is simple, to block a class C, those guys are stupiod and programmed bad an application (I guess) and are pointing to one of my domains... since 4 weeks ago I am receiving this kind of access: 189.254.19.93 - - [04/Mar/2011:19:43:48 -0600] OPTIONS / HTTP/1.1 200 - - Microsoft-WebDAV-MiniRedir/5.1.2600 189.254.19.93 - - [04/Mar/2011:19:43:48 -0600] PROPFIND /Backup-usuarios HTTP/1.1 301 323 - Microsoft-WebDAV-MiniRedir/5.1.2600 189.254.19.93 - - [04/Mar/2011:19:43:48 -0600] PROPFIND /Backup-usuarios/ HTTP/1.1 200 40833 - Microsoft-WebDAV-MiniRedir/5.1.2600 189.254.19.93 - - [04/Mar/2011:19:44:13 -0600] OPTIONS / HTTP/1.1 200 - - Microsoft-WebDAV-MiniRedir/5.1.2600 189.254.19.93 - - [04/Mar/2011:19:44:13 -0600] PROPFIND /Backup-usuarios HTTP/1.1 301 323 - Microsoft-WebDAV-MiniRedir/5.1.2600 189.254.19.93 - - [04/Mar/2011:19:44:13 -0600] PROPFIND /Backup-usuarios/ HTTP/1.1 200 40833 - Microsoft-WebDAV-MiniRedir/5.1.2600 189.254.19.93 - - [04/Mar/2011:19:44:19 -0600] OPTIONS / HTTP/1.1 200 - - Microsoft-WebDAV-MiniRedir/5.1.2600 189.254.19.93 - - [04/Mar/2011:19:44:19 -0600] PROPFIND /Backup-usuarios HTTP/1.1 301 323 - Microsoft-WebDAV-MiniRedir/5.1.2600 189.254.19.93 - - [04/Mar/2011:19:44:19 -0600] PROPFIND /Backup-usuarios/ HTTP/1.1 200 40833 - Microsoft-WebDAV-MiniRedir/5.1.2600 189.254.19.93 - - [04/Mar/2011:19:44:34 -0600] OPTIONS / HTTP/1.1 200 - - Microsoft-WebDAV-MiniRedir/5.1.2600 189.254.19.93 - - [04/Mar/2011:19:44:34 -0600] PROPFIND /Backup-usuarios HTTP/1.1 301 323 - Microsoft-WebDAV-MiniRedir/5.1.2600 189.254.19.93 - - [04/Mar/2011:19:44:34 -0600] PROPFIND /Backup-usuarios/ HTTP/1.1 200 40833 - Microsoft-WebDAV-MiniRedir/5.1.2600 189.254.19.93 - - [04/Mar/2011:19:45:06 -0600] OPTIONS / HTTP/1.1 200 - - Microsoft-WebDAV-MiniRedir/5.1.2600 189.254.19.93 - - [04/Mar/2011:19:45:06 -0600] PROPFIND /Backup-usuarios HTTP/1.1 301 323 - Microsoft-WebDAV-MiniRedir/5.1.2600 189.254.19.93 - - [04/Mar/2011:19:45:06 -0600] PROPFIND /Backup-usuarios/ HTTP/1.1 200 40833 - Microsoft-WebDAV-MiniRedir/5.1.2600 They change IP's , from the same Class C. No trying to do anything else, hack or send email So I decided to block the Class C. I guess that with the deny, allow directives under Apache would be enough but they do not work. I am under Apache 1.3x and all works fine but that directives do not. I tried , read and not be able to make them work so that's why I decided to block them and block others, those yes are trying to hack, the simplest way. anyway I will see if the: hosts.allow / hosts.deny would help. If needed I would upgrade to latest version of FreeBSD Apache or whatever needed. Even when they do not do anything my server, a 386 that has been running Freebsd the last 13 years since Freebsd 3.x is supporting this extra load and besides they are wasting my bandwidth. I can not do anything and no problem but I'd like to solve this and continue learning Freebsd. Thanks for your time. Jorge Biquez ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Simplest way to deny access to a class C
Null (bogus) route that /24 seems the most simple to me: 5 seconds and no upgrades or add ons. - Original Message - From: Jorge Biquez [mailto:jbiq...@intranet.com.mx] Sent: Friday, March 04, 2011 08:07 PM To: freebsd-questions@freebsd.org freebsd-questions@freebsd.org Subject: Re: Simplest way to deny access to a class C I wonder why nobodies mentioned a quite simple method with tcpwrappers and hosts.allow / hosts.deny also Hello. I guess something simple could work For some reason, don ask me why becasue I did not find why, the: Order Deny, Allow Deny IP Allow all under httpd.conf and outsite as .htaccess does not work but for now teh thing is simple, to block a class C, those guys are stupiod and programmed bad an application (I guess) and are pointing to one of my domains... since 4 weeks ago I am receiving this kind of access: 189.254.19.93 - - [04/Mar/2011:19:43:48 -0600] OPTIONS / HTTP/1.1 200 - - Microsoft-WebDAV-MiniRedir/5.1.2600 189.254.19.93 - - [04/Mar/2011:19:43:48 -0600] PROPFIND /Backup-usuarios HTTP/1.1 301 323 - Microsoft-WebDAV-MiniRedir/5.1.2600 189.254.19.93 - - [04/Mar/2011:19:43:48 -0600] PROPFIND /Backup-usuarios/ HTTP/1.1 200 40833 - Microsoft-WebDAV-MiniRedir/5.1.2600 189.254.19.93 - - [04/Mar/2011:19:44:13 -0600] OPTIONS / HTTP/1.1 200 - - Microsoft-WebDAV-MiniRedir/5.1.2600 189.254.19.93 - - [04/Mar/2011:19:44:13 -0600] PROPFIND /Backup-usuarios HTTP/1.1 301 323 - Microsoft-WebDAV-MiniRedir/5.1.2600 189.254.19.93 - - [04/Mar/2011:19:44:13 -0600] PROPFIND /Backup-usuarios/ HTTP/1.1 200 40833 - Microsoft-WebDAV-MiniRedir/5.1.2600 189.254.19.93 - - [04/Mar/2011:19:44:19 -0600] OPTIONS / HTTP/1.1 200 - - Microsoft-WebDAV-MiniRedir/5.1.2600 189.254.19.93 - - [04/Mar/2011:19:44:19 -0600] PROPFIND /Backup-usuarios HTTP/1.1 301 323 - Microsoft-WebDAV-MiniRedir/5.1.2600 189.254.19.93 - - [04/Mar/2011:19:44:19 -0600] PROPFIND /Backup-usuarios/ HTTP/1.1 200 40833 - Microsoft-WebDAV-MiniRedir/5.1.2600 189.254.19.93 - - [04/Mar/2011:19:44:34 -0600] OPTIONS / HTTP/1.1 200 - - Microsoft-WebDAV-MiniRedir/5.1.2600 189.254.19.93 - - [04/Mar/2011:19:44:34 -0600] PROPFIND /Backup-usuarios HTTP/1.1 301 323 - Microsoft-WebDAV-MiniRedir/5.1.2600 189.254.19.93 - - [04/Mar/2011:19:44:34 -0600] PROPFIND /Backup-usuarios/ HTTP/1.1 200 40833 - Microsoft-WebDAV-MiniRedir/5.1.2600 189.254.19.93 - - [04/Mar/2011:19:45:06 -0600] OPTIONS / HTTP/1.1 200 - - Microsoft-WebDAV-MiniRedir/5.1.2600 189.254.19.93 - - [04/Mar/2011:19:45:06 -0600] PROPFIND /Backup-usuarios HTTP/1.1 301 323 - Microsoft-WebDAV-MiniRedir/5.1.2600 189.254.19.93 - - [04/Mar/2011:19:45:06 -0600] PROPFIND /Backup-usuarios/ HTTP/1.1 200 40833 - Microsoft-WebDAV-MiniRedir/5.1.2600 They change IP's , from the same Class C. No trying to do anything else, hack or send email So I decided to block the Class C. I guess that with the deny, allow directives under Apache would be enough but they do not work. I am under Apache 1.3x and all works fine but that directives do not. I tried , read and not be able to make them work so that's why I decided to block them and block others, those yes are trying to hack, the simplest way. anyway I will see if the: hosts.allow / hosts.deny would help. If needed I would upgrade to latest version of FreeBSD Apache or whatever needed. Even when they do not do anything my server, a 386 that has been running Freebsd the last 13 years since Freebsd 3.x is supporting this extra load and besides they are wasting my bandwidth. I can not do anything and no problem but I'd like to solve this and continue learning Freebsd. Thanks for your time. Jorge Biquez ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org font size=1 div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in' /div This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system. /font ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Simplest way to deny access to a class C
The original question had to do with requests to a web server, and it would not be practical nor typical to route all http traffic through inetd. As well, tcpwrappers require manual work; mod_security and fail2ban are both ban automatically based on specified criteria and patterns. While mod_security only works for Apache, fail2ban works for any service that writes out to a log file. We have it watching our instances of Apache, Postfix, Cyrus IMAP, and sshd services for repeated login failure within a short period of time. It has done wonders. Patrick On Fri, Mar 4, 2011 at 4:30 PM, Outback Dingo outbackdi...@gmail.com wrote: On Fri, Mar 4, 2011 at 7:14 PM, Patrick Gibson gibblert...@gmail.com wrote: fail2ban by default only bans an IP for 10 minutes, and that's configurable. It can also email you anytime it imposes a ban, so one can keep an eye on things at least in the beginning to see if it's causing a problem for legitimate users. On Thu, Mar 3, 2011 at 4:02 PM, Gary Gatten ggat...@waddell.com wrote: Be careful of automated responses. What if someone spoofs IP's of legit users / customers / whatever and your automated response blocks them? Not good. I thought about blockingwell, never mind - might pi$$ someone off and attract unwanted attention... -Original Message- From: owner-freebsd-questi...@freebsd.org [mailto:owner-freebsd-questi...@freebsd.org] On Behalf Of Patrick Gibson Sent: Thursday, March 03, 2011 5:58 PM To: Jorge Biquez Cc: freebsd-questions@freebsd.org Subject: Re: Simplest way to deny access to a class C You might consider mod_security (/usr/ports/www/mod_security) which can be set up to ban hosts based on behaviour or characteristics. Or fail2ban (/usr/ports/security/py-fail2ban) is really great, too, in that it scans whatever logs you want, and can trigger a block in your firewall if enough violating log entries are found within a particular period of time. Everything is totally configurable, and there are plenty of examples that come with it. Patrick On Thu, Mar 3, 2011 at 8:59 AM, Jorge Biquez jbiq...@intranet.com.mx wrote: Hello all. I am sorry in advance if this question sounds too stupid. I have a small server for personal use of webpages running: 7.3-PRERELEASE FreeBSD 7.3-PRERELEASE #0 it is working fine , no problem very stable. I just need to block some IP class C address that are always trying to discover directories or applications under the web server. They do not do and can not do anything since this server has nothing installed but i am tired of seeing in the logs all the intents they do every 2-3 seconds. I have not installed any kind of firewall yet. What do you think is the best way to accomplish this task? If possible the easiest one. I do not want to do anything else but just bloc IP's, at this moment at least. I wonder why nobodies mentioned a quite simple method with tcpwrappers and hosts.allow / hosts.deny also Thanks in advance. Jorge Biquez ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org font size=1 div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in' /div This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system. /font ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Simplest way to deny access to a class C
Adding null routes to the address space in question will prevent comms, but it won't stop traffic getting to you and then perhaps being logged. Some sort of firewall with a policy that denies them without logging? - Original Message - From: Jorge Biquez [mailto:jbiq...@intranet.com.mx] Sent: Thursday, March 03, 2011 10:59 AM To: freebsd-questions@freebsd.org freebsd-questions@freebsd.org Subject: Simplest way to deny access to a class C Hello all. I am sorry in advance if this question sounds too stupid. I have a small server for personal use of webpages running: 7.3-PRERELEASE FreeBSD 7.3-PRERELEASE #0 it is working fine , no problem very stable. I just need to block some IP class C address that are always trying to discover directories or applications under the web server. They do not do and can not do anything since this server has nothing installed but i am tired of seeing in the logs all the intents they do every 2-3 seconds. I have not installed any kind of firewall yet. What do you think is the best way to accomplish this task? If possible the easiest one. I do not want to do anything else but just bloc IP's, at this moment at least. Thanks in advance. Jorge Biquez ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org font size=1 div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in' /div This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system. /font ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Simplest way to deny access to a class C
Since you currently have NO firewall, then I would say the simplest method would be to turn one on, and create an open ruleset allowing all traffic, then add a filter rule to just block out what you do not want. However, having said this is the simplest way - it is not the best or even a really good way. Firewall should be inclusive; designed to only allow what you DO want and ignore/drop everything else. Please see: http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls.html for a good explanation and overview. Some firewalls can be used as modules with the generic kernel, some will require you to compile a custom kernel - again there are advantages/disadvantages to either approach. Personally I use IPFW for simple stuff, and PF when it gets more complex, but that's just me. On Thu, Mar 3, 2011 at 11:59 AM, Jorge Biquez jbiq...@intranet.com.mxwrote: Hello all. I am sorry in advance if this question sounds too stupid. I have a small server for personal use of webpages running: 7.3-PRERELEASE FreeBSD 7.3-PRERELEASE #0 it is working fine , no problem very stable. I just need to block some IP class C address that are always trying to discover directories or applications under the web server. They do not do and can not do anything since this server has nothing installed but i am tired of seeing in the logs all the intents they do every 2-3 seconds. I have not installed any kind of firewall yet. What do you think is the best way to accomplish this task? If possible the easiest one. I do not want to do anything else but just bloc IP's, at this moment at least. Thanks in advance. Jorge Biquez ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org -- Nathan Vidican nat...@vidican.com (519) 962-9987 (Canada) (313) 586-1982 (USA) ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Simplest way to deny access to a class C
Install a wins server to stop netbios requests and a dhcp server or denying the dhcp requests won't stop them. Use natd to forward them. Jorge Biquez jbiq...@intranet.com.mx wrote: Hello all. I am sorry in advance if this question sounds too stupid. I have a small server for personal use of webpages running: 7.3-PRERELEASE FreeBSD 7.3-PRERELEASE #0 it is working fine , no problem very stable. I just need to block some IP class C address that are always trying to discover directories or applications under the web server. They do not do and can not do anything since this server has nothing installed but i am tired of seeing in the logs all the intents they do every 2-3 seconds. I have not installed any kind of firewall yet. What do you think is the best way to accomplish this task? If possible the easiest one. I do not want to do anything else but just bloc IP's, at this moment at least. Thanks in advance. Jorge Biquez ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Simplest way to deny access to a class C
Ps what log are you reading? Lol Michael J. Kearney mkear...@nvita.org wrote: Install a wins server to stop netbios requests and a dhcp server or denying the dhcp requests won't stop them. Use natd to forward them. Jorge Biquez jbiq...@intranet.com.mx wrote: Hello all. I am sorry in advance if this question sounds too stupid. I have a small server for personal use of webpages running: 7.3-PRERELEASE FreeBSD 7.3-PRERELEASE #0 it is working fine , no problem very stable. I just need to block some IP class C address that are always trying to discover directories or applications under the web server. They do not do and can not do anything since this server has nothing installed but i am tired of seeing in the logs all the intents they do every 2-3 seconds. I have not installed any kind of firewall yet. What do you think is the best way to accomplish this task? If possible the easiest one. I do not want to do anything else but just bloc IP's, at this moment at least. Thanks in advance. Jorge Biquez ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Simplest way to deny access to a class C
On Thu, Mar 03, 2011 at 10:59:59AM -0600, Jorge Biquez wrote: Hello all. I am sorry in advance if this question sounds too stupid. I have a small server for personal use of webpages running: 7.3-PRERELEASE FreeBSD 7.3-PRERELEASE #0 it is working fine , no problem very stable. I just need to block some IP class C address that are always trying to discover directories or applications under the web server. They do not do and can not do anything since this server has nothing installed but i am tired of seeing in the logs all the intents they do every 2-3 seconds. I have not installed any kind of firewall yet. What do you think is the best way to accomplish this task? If possible the easiest one. I do not want to do anything else but just bloc IP's, at this moment at least. Thanks in advance. Jorge Biquez I'm assuming you're running Apache, in which case you can block addresses using .htaccess http://www.webmasterworld.com/apache/3118159.htm Regards, -- Frank Contact info: http://www.shute.org.uk/misc/contact.html pgp1c3llyGMXM.pgp Description: PGP signature
Re: Simplest way to deny access to a class C
You might consider mod_security (/usr/ports/www/mod_security) which can be set up to ban hosts based on behaviour or characteristics. Or fail2ban (/usr/ports/security/py-fail2ban) is really great, too, in that it scans whatever logs you want, and can trigger a block in your firewall if enough violating log entries are found within a particular period of time. Everything is totally configurable, and there are plenty of examples that come with it. Patrick On Thu, Mar 3, 2011 at 8:59 AM, Jorge Biquez jbiq...@intranet.com.mx wrote: Hello all. I am sorry in advance if this question sounds too stupid. I have a small server for personal use of webpages running: 7.3-PRERELEASE FreeBSD 7.3-PRERELEASE #0 it is working fine , no problem very stable. I just need to block some IP class C address that are always trying to discover directories or applications under the web server. They do not do and can not do anything since this server has nothing installed but i am tired of seeing in the logs all the intents they do every 2-3 seconds. I have not installed any kind of firewall yet. What do you think is the best way to accomplish this task? If possible the easiest one. I do not want to do anything else but just bloc IP's, at this moment at least. Thanks in advance. Jorge Biquez ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
RE: Simplest way to deny access to a class C
Be careful of automated responses. What if someone spoofs IP's of legit users / customers / whatever and your automated response blocks them? Not good. I thought about blockingwell, never mind - might pi$$ someone off and attract unwanted attention... -Original Message- From: owner-freebsd-questi...@freebsd.org [mailto:owner-freebsd-questi...@freebsd.org] On Behalf Of Patrick Gibson Sent: Thursday, March 03, 2011 5:58 PM To: Jorge Biquez Cc: freebsd-questions@freebsd.org Subject: Re: Simplest way to deny access to a class C You might consider mod_security (/usr/ports/www/mod_security) which can be set up to ban hosts based on behaviour or characteristics. Or fail2ban (/usr/ports/security/py-fail2ban) is really great, too, in that it scans whatever logs you want, and can trigger a block in your firewall if enough violating log entries are found within a particular period of time. Everything is totally configurable, and there are plenty of examples that come with it. Patrick On Thu, Mar 3, 2011 at 8:59 AM, Jorge Biquez jbiq...@intranet.com.mx wrote: Hello all. I am sorry in advance if this question sounds too stupid. I have a small server for personal use of webpages running: 7.3-PRERELEASE FreeBSD 7.3-PRERELEASE #0 it is working fine , no problem very stable. I just need to block some IP class C address that are always trying to discover directories or applications under the web server. They do not do and can not do anything since this server has nothing installed but i am tired of seeing in the logs all the intents they do every 2-3 seconds. I have not installed any kind of firewall yet. What do you think is the best way to accomplish this task? If possible the easiest one. I do not want to do anything else but just bloc IP's, at this moment at least. Thanks in advance. Jorge Biquez ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org font size=1 div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in' /div This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system. /font ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
RE: Simplest way to deny access to a class C
Thank you all for your time and comments. I guess that I will install a firewall, that way I can also block those Class C's from sending tons of emails to non existing accounts I will read the website to see the best options. Any suggestion is more than welcome. Jorge Biquez At 06:02 p.m. 03/03/2011, you wrote: Be careful of automated responses. What if someone spoofs IP's of legit users / customers / whatever and your automated response blocks them? Not good. I thought about blockingwell, never mind - might pi$$ someone off and attract unwanted attention... -Original Message- From: owner-freebsd-questi...@freebsd.org [mailto:owner-freebsd-questi...@freebsd.org] On Behalf Of Patrick Gibson Sent: Thursday, March 03, 2011 5:58 PM To: Jorge Biquez Cc: freebsd-questions@freebsd.org Subject: Re: Simplest way to deny access to a class C You might consider mod_security (/usr/ports/www/mod_security) which can be set up to ban hosts based on behaviour or characteristics. Or fail2ban (/usr/ports/security/py-fail2ban) is really great, too, in that it scans whatever logs you want, and can trigger a block in your firewall if enough violating log entries are found within a particular period of time. Everything is totally configurable, and there are plenty of examples that come with it. Patrick On Thu, Mar 3, 2011 at 8:59 AM, Jorge Biquez jbiq...@intranet.com.mx wrote: Hello all. I am sorry in advance if this question sounds too stupid. I have a small server for personal use of webpages running: 7.3-PRERELEASE FreeBSD 7.3-PRERELEASE #0 it is working fine , no problem very stable. I just need to block some IP class C address that are always trying to discover directories or applications under the web server. They do not do and can not do anything since this server has nothing installed but i am tired of seeing in the logs all the intents they do every 2-3 seconds. I have not installed any kind of firewall yet. What do you think is the best way to accomplish this task? If possible the easiest one. I do not want to do anything else but just bloc IP's, at this moment at least. Thanks in advance. Jorge Biquez ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org font size=1 div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in' /div This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system. /font ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
