Re: Deny large number of IPs via ipfw
Dan Mahoney, System Admin [EMAIL PROTECTED] wrote: Hey all, I've got a file that I just synced from a major RBL, and I'd like to just use it to globally deny access to my system. Is there an easy way to do this within ipfw -- the file is about 3 *million* lines, and is from cbl.abuseat.org. You're probably better off using pf so that you can use a table. -- Bill Moran You will give me the Ring freely? In place of the Dark Lord you will set up a Queen. And I shall not be dark, but beautiful and terrible as the Morning and the Night! Fair as the Sea and the Sun and the Snow upon the Mountain! Dreadful as the Storm and the Lightning! Stronger than the foundations of the earth. All shall love me and despair! Galadriel ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: Deny large number of IPs via ipfw
Using such an list of ip address from a major rbl is flawed at the core of the idea. Over 85% of those 3 million ip address are spoofed in the first place. Most are what would be called false positives. Reread the info at the source cbl.abuseat.org it says the data is not intended to be used the way you are trying to use it. You really need to rethink what you are doing. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Dan Mahoney, System Admin Sent: Sunday, June 11, 2006 8:36 AM To: [EMAIL PROTECTED] Subject: Deny large number of IPs via ipfw Hey all, I've got a file that I just synced from a major RBL, and I'd like to just use it to globally deny access to my system. Is there an easy way to do this within ipfw -- the file is about 3 *million* lines, and is from cbl.abuseat.org. -Dan -- SOY BOMB! -The Chest of the nameless streaker of the 1998 Grammy Awards' Bob Dylan Performance. Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org --- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: Deny large number of IPs via ipfw
On Sun, 11 Jun 2006, fbsd wrote: Using such an list of ip address from a major rbl is flawed at the core of the idea. Over 85% of those 3 million ip address are spoofed in the first place. Most are what would be called false positives. Reread the info at the source cbl.abuseat.org it says the data is not intended to be used the way you are trying to use it. All it says is: We're getting a lot of reports of spurious blocking caused by sites using the CBL to block authenticated access to smarthosts / outgoing mail servers. THE CBL is only designed to be used on INCOMING mail, i.e. on the hosts that your MX records point to. Which I take to mean, yeah, if you're using it on sendmail, you allow SMTP AUTH to override blacklists (this is the case by default.) Whereas my intention would be to use it to block ports such as 80 and 22. Every system I've found trying to brute-force SSH on my box has already been in this database, and by using mod_access_rbl for apache I was able to catch and block a dozen or so attempts to post spammish content to guestbooks and the like (but I'd like to do this without the overhead of apache DNS lookups). Thanks for your input, though. -Dan You really need to rethink what you are doing. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Dan Mahoney, System Admin Sent: Sunday, June 11, 2006 8:36 AM To: [EMAIL PROTECTED] Subject: Deny large number of IPs via ipfw Hey all, I've got a file that I just synced from a major RBL, and I'd like to just use it to globally deny access to my system. Is there an easy way to do this within ipfw -- the file is about 3 *million* lines, and is from cbl.abuseat.org. -Dan -- SOY BOMB! -The Chest of the nameless streaker of the 1998 Grammy Awards' Bob Dylan Performance. Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org --- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] -- I am a professional drinker, and I know that that was NOT Jose Cuervo! Well, what was it then? I think it was some mixture of Rubbing Alcohol, and Desenex(TM) Foot Powder, because my feet feel okay, and my back doesn't hurt, but my stomach is killing me! -Dan Mahoney, Costa Rica, August 12th, 1994 Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org --- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: Deny large number of IPs via ipfw
This is still wasted busy work. There are much simpler ways to stop ssh false login attempts and garbage to website guest books. In ipfw use rule limit option or change port number ssh uses and only give your ssh port number to your user group. And for all websites add a noise image to stop robots from auto entering garbage. You should use the correct tools instead of some over kill method. 3 million ip table entry's is plain stupid. I fired my system admin when I caught him trying to do the same stupid thing. -Original Message- From: Dan Mahoney, System Admin [mailto:[EMAIL PROTECTED] Sent: Sunday, June 11, 2006 10:43 AM To: fbsd Cc: [EMAIL PROTECTED] Subject: RE: Deny large number of IPs via ipfw On Sun, 11 Jun 2006, fbsd wrote: Using such an list of ip address from a major rbl is flawed at the core of the idea. Over 85% of those 3 million ip address are spoofed in the first place. Most are what would be called false positives. Reread the info at the source cbl.abuseat.org it says the data is not intended to be used the way you are trying to use it. All it says is: We're getting a lot of reports of spurious blocking caused by sites using the CBL to block authenticated access to smarthosts / outgoing mail servers. THE CBL is only designed to be used on INCOMING mail, i.e. on the hosts that your MX records point to. Which I take to mean, yeah, if you're using it on sendmail, you allow SMTP AUTH to override blacklists (this is the case by default.) Whereas my intention would be to use it to block ports such as 80 and 22. Every system I've found trying to brute-force SSH on my box has already been in this database, and by using mod_access_rbl for apache I was able to catch and block a dozen or so attempts to post spammish content to guestbooks and the like (but I'd like to do this without the overhead of apache DNS lookups). Thanks for your input, though. -Dan You really need to rethink what you are doing. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Dan Mahoney, System Admin Sent: Sunday, June 11, 2006 8:36 AM To: [EMAIL PROTECTED] Subject: Deny large number of IPs via ipfw Hey all, I've got a file that I just synced from a major RBL, and I'd like to just use it to globally deny access to my system. Is there an easy way to do this within ipfw -- the file is about 3 *million* lines, and is from cbl.abuseat.org. -Dan -- SOY BOMB! -The Chest of the nameless streaker of the 1998 Grammy Awards' Bob Dylan Performance. Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org --- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] -- I am a professional drinker, and I know that that was NOT Jose Cuervo! Well, what was it then? I think it was some mixture of Rubbing Alcohol, and Desenex(TM) Foot Powder, because my feet feel okay, and my back doesn't hurt, but my stomach is killing me! -Dan Mahoney, Costa Rica, August 12th, 1994 Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org --- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Deny large number of IPs via ipfw (fwd)
Using such an list of ip address from a major rbl is flawed at the core of the idea. Over 85% of those 3 million ip address are spoofed in the first place. Most are what would be called false positives. Actually there are almost no false positives in the CBL. The three million addresses on the CBL really are all IP addresses that have recently sent spam. (I know the people who run it and I know how they get the addresses.) But I agree that it is a poor idea to try to use it in your router, if for no other reason than that the CBL is updated every few minutes, and by the time you stuffed it into your ip tables, it'd be out of date. The CBL works great for mail servers to refuse mail that has a 99.9+% chance of being spam. Use it that way. If you want to use it to block access to your ssh server, run it from inetd and put a shim in between to check the CBL. Unless you get a dozen legit SSH logins a minute, that's vastly faster than trying to rsync a rapidly changing three million record file. R's, John ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]