securing SSH, FBSD systems

fbsd_user fbsd_user at a1poweruser.com
Mon May 23 18:05:39 PDT 2005


>2- Every time I see script kiddies I black hole their IPs.

>I black hole them not only because of ssh, but because, just as
they tried
>to attack ssh the same IPs may try other attacks. I try and stay up
to
>date in patches, but it can not hurt to block known
>compromised/hacker machines. The IPs can be listed either in the
firewall
>or using
>route add -host <hacker ip> 127.0.0.1 -blackhole

>I was told that this method of blackholing was more efficient when
using a
>long list of IPs becaues IPFW looks at a linear list while the
route list
>was some sort of tree which is more efficient to search.

>Over time.. my list of blackholed IPs is 300+ and growing. Every
week I
>add anywhere from 2 to 10 new IPs. :-(

>Besides ssh I also look for machines trying to attack the web
server.. ie
>a machine looking for files in c:\winnt or any other window
directory is a
>sure sign of a compromised wmachine ith a virus/worm trying to
infect more
>machines.
_______________________________________________
freebsd-questions at freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to
"freebsd-questions-unsubscribe at freebsd.org"

***********************************  *******************************

These manual routes are stored in memory.
Can you tell how much memory is used by your 300+ list?

Is there some command to display these user added route list?

Is the <hacker ip> a single IP address or can you say 62.0.0.0/8?

Can I stack these commands in a script to run every time the system
boots?





More information about the freebsd-questions mailing list