Blacklisting IPs

Carleton Vaughn keebler at mindspring.com
Tue Jan 11 06:44:13 PST 2005 

Ted Mittelstaedt wrote:
> 
>>-----Original Message-----
>>From: owner-freebsd-questions at freebsd.org
>>[mailto:owner-freebsd-questions at freebsd.org]On Behalf Of Chris
>>Sent: Monday, January 10, 2005 4:07 PM
>>To: artware
>>Cc: freebsd-questions at freebsd.org
>>Subject: Re: Blacklisting IPs
>>
>>
>>artware wrote:
>>
>>>Hello again,
>>>
>>>My 5.3R system has only been up a little over a week, and 
>>
>>I've already
>>
>>>had a few breakin attempts -- they show up as Illegal user tests in
>>>the /var/log/auth.log... It looks like they're trying common login
>>>names (probably with the login name used as passwd). It takes them
>>>hours to try a dozen names, but I'd rather not have any traffic from
>>>these folks. Is there any way to blacklist IPs at the system 
>>
>>level, or
>>
>>>do I have to hack something together for each daemon?
>>>
>>>- ben
>>>_______________________________________________
>>>freebsd-questions at freebsd.org mailing list
>>>http://lists.freebsd.org/mailman/listinfo/freebsd-questions
>>>To unsubscribe, send any mail to 
>>
>>"freebsd-questions-unsubscribe at freebsd.org"
>>
>>>
>>Here's what I do -
>>
>>as root: route -nq add -host xxx.xxx.xxx.xxx 127.0.0.1 -blackhole
>>
>>To the attacker, it looks as if you dropped off the net.
>>
>>
> 
> 
> This actually isn't the best advice since the incoming packets
> from the attacker are still using up your bandwidth.
> 
> It's best to report them and it's not hard to do it.  There
> are automated tools that will do it.  As the CTO of an ISP
> let me tell you that we get about 1 of those reports every
> few months - that is how few people are reporting them - and
> we look closely at every one of them.  This isn't a situation
> where the abuse departments of most ISP's are overflowing
> with so many network abuse notifications that they aren't
> interested in getting more of them.

I've had these showing up in my auth.log since mid-December.  Most of 
the time, my lookups have gone to domains registered in Elbonia and 
frankly I have my doubts about any administrators over there caring. 
The only Western abuse@ I found sent me an automated reply.  I'm waiting 
to get one from Singapore---maybe I can get somebody caned...

-- 
Carleton Vaughn
College Park, Georgia, USA

More information about the freebsd-questions mailing list