IP Banning (Using IPFW)

fbsd_user fbsd_user at a1poweruser.com
Sun Feb 5 12:59:10 PST 2006 

I find this kind of approach is treating the symptom and not the
cause.
The basic problem is the services have well published port numbers
and attackers beat on those known port numbers. A much simpler
approach is to change the standard port numbers to some high order
port number. See /etc/services  SSH logon command allows for a port
number and the same for telnet. Your remote users will be the only
people knowing your selected port numbers for those services. This
way a attackers port scan will show the well published port numbers
as not open so they will pass on attacking those ports on your ip
address. This way your bandwidth usage will be reduced as attackers
find your ip address as having nothing of interest.

This same kind of thing can also be done for port 80 by using the
web forwarding function of Zoneedit pointing to different port for
your web server. Only people coming to your site through dns will be
forwarded to the correct port.

The clear key here is attackers roll through a large range of ip
address port scanning for open ports. By using nonstandard port
numbers for your services you stop the attacker even finding you in
the first place.

good luck what ever you choose to do.

-----Original Message-----
From: owner-freebsd-questions at freebsd.org
[mailto:owner-freebsd-questions at freebsd.org]On Behalf Of Michael A.
Alestock
Sent: Sunday, February 05, 2006 10:42 AM
To: questions at freebsd.org
Subject: IP Banning (Using IPFW)
Importance: High


Hello,

I was wondering if there's some sort of port available that can
actively
ban IPs that try and bruteforce a service such as SSH or Telnet, by
scanning the /var/log/auth.log log for Regex such as "Illegal User"
or
"LOGIN FAILURES", and then using IPFW to essentially deny (ban) that
IP
for a certain period of time or possibly forever.

I've seen a very useful one that works for linux (fail2ban), and was
wondering if one exists for FreeBSD's IPFW?

I've looked around in /usr/ports/security and /usr/ports/net but
can't
seem to find anything that closely resembles that.

Your help would be greatly appreciated.... Thanks in advance!

>> Michael A., USA... Loyal FreeBSD user since 2000.
_______________________________________________
freebsd-questions at freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to
"freebsd-questions-unsubscribe at freebsd.org"

More information about the freebsd-questions mailing list