Simplest way to deny access to a class C

Patrick Gibson gibblertron at gmail.com
Sat Mar 5 03:39:59 UTC 2011


The original question had to do with requests to a web server, and it
would not be practical nor typical to route all http traffic through
inetd.

As well, tcpwrappers require manual work; mod_security and fail2ban
are both ban automatically based on specified criteria and patterns.
While mod_security only works for Apache, fail2ban works for any
service that writes out to a log file. We have it watching our
instances of Apache, Postfix, Cyrus IMAP, and sshd services for
repeated login failure within a short period of time. It has done
wonders.

Patrick

On Fri, Mar 4, 2011 at 4:30 PM, Outback Dingo <outbackdingo at gmail.com> wrote:
>
>
> On Fri, Mar 4, 2011 at 7:14 PM, Patrick Gibson <gibblertron at gmail.com>
> wrote:
>>
>> fail2ban by default only bans an IP for 10 minutes, and that's
>> configurable. It can also email you anytime it imposes a ban, so one
>> can keep an eye on things at least in the beginning to see if it's
>> causing a problem for legitimate users.
>>
>> On Thu, Mar 3, 2011 at 4:02 PM, Gary Gatten <Ggatten at waddell.com> wrote:
>> > Be careful of automated responses.  What if someone spoofs IP's of legit
>> > users / customers / whatever and your automated response blocks them?  Not
>> > good.
>> >
>> > I thought about blocking....well, never mind - might pi$$ someone off
>> > and attract unwanted attention...
>> >
>> > -----Original Message-----
>> > From: owner-freebsd-questions at freebsd.org
>> > [mailto:owner-freebsd-questions at freebsd.org] On Behalf Of Patrick Gibson
>> > Sent: Thursday, March 03, 2011 5:58 PM
>> > To: Jorge Biquez
>> > Cc: freebsd-questions at freebsd.org
>> > Subject: Re: Simplest way to deny access to a class C
>> >
>> > You might consider mod_security (/usr/ports/www/mod_security) which
>> > can be set up to ban hosts based on behaviour or characteristics.
>> >
>> > Or fail2ban (/usr/ports/security/py-fail2ban) is really great, too, in
>> > that it scans whatever logs you want, and can trigger a block in your
>> > firewall if enough violating log entries are found within a particular
>> > period of time. Everything is totally configurable, and there are
>> > plenty of examples that come with it.
>> >
>> > Patrick
>> >
>> >
>> > On Thu, Mar 3, 2011 at 8:59 AM, Jorge Biquez <jbiquez at intranet.com.mx>
>> > wrote:
>> >> Hello all.
>> >>
>> >> I am sorry in advance if this question sounds too stupid.
>> >>
>> >> I have a small server for personal use of webpages running:
>> >>
>> >> 7.3-PRERELEASE FreeBSD 7.3-PRERELEASE #0
>> >>
>> >> it is working fine , no problem very stable.
>> >>
>> >> I just need to block some IP class C address that are always trying to
>> >> "discover" directories or applications under the web server. They do
>> >> not do
>> >> and can not do anything since this server has nothing installed but i
>> >> am
>> >> tired of seeing in the logs all the intents they do every 2-3 seconds.
>> >>
>> >> I have not installed any kind of firewall yet.
>> >> What do you think is the best way to accomplish this task? If possible
>> >> the
>> >> easiest one. I do not want to do anything else but just bloc IP's, at
>> >> this
>> >> moment at least.
>
> I wonder why nobodies mentioned a quite simple method with tcpwrappers and
> hosts.allow / hosts.deny also
>
>
>>
>> >>
>> >> Thanks in advance.
>> >>
>> >> Jorge Biquez
>> >>
>> >> _______________________________________________
>> >> freebsd-questions at freebsd.org mailing list
>> >> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
>> >> To unsubscribe, send any mail to
>> >> "freebsd-questions-unsubscribe at freebsd.org"
>> >>
>> > _______________________________________________
>> > freebsd-questions at freebsd.org mailing list
>> > http://lists.freebsd.org/mailman/listinfo/freebsd-questions
>> > To unsubscribe, send any mail to
>> > "freebsd-questions-unsubscribe at freebsd.org"
>> >
>> >
>> >
>> >
>> >
>> > <font size="1">
>> > <div style='border:none;border-bottom:double windowtext
>> > 2.25pt;padding:0in 0in 1.0pt 0in'>
>> > </div>
>> > "This email is intended to be reviewed by only the intended recipient
>> >  and may contain information that is privileged and/or confidential.
>> >  If you are not the intended recipient, you are hereby notified that
>> >  any review, use, dissemination, disclosure or copying of this email
>> >  and its attachments, if any, is strictly prohibited.  If you have
>> >  received this email in error, please immediately notify the sender by
>> >  return email and delete this email from your system."
>> > </font>
>> >
>> >
>> _______________________________________________
>> freebsd-questions at freebsd.org mailing list
>> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
>> To unsubscribe, send any mail to
>> "freebsd-questions-unsubscribe at freebsd.org"
>
>


More information about the freebsd-questions mailing list