Trying to understand dynamic rules

Oliver Fromme olli at
Mon Jul 18 11:21:04 GMT 2005

Francisco Reyes <lists at> wrote:
 > Basically I keep track of attempts to connect to the SSH port. Any IP that 
 > tries to connect using a non existing user numerous times I run a script 
 > and blackhole the IP.

That's probably OK, because the source IP cannot easily be
spoofed in that case.  But ...

 > What I would like was if IPFW would see numerous attempts to connect to 
 > SSH from the same IP and automatically create a rule to not allow that IP 
 > to connect at all to my machine. Is this possible?

It's possible, but it's probably _not_ a good idea, because
an attacker can easily perform a denial-of-service attack
against your machine.  For example, he can make several
connection attempts to your machine, using -- say -- the IP
addresses of your DNS servers as source IPs (or any other
address that might be important to you).  Then you would
blackhole your own DNS servers.

I recommend that you just ignore such attempts.  If your
filter rules are OK and your ssh configuration is OK (and
your passwords are OK, _if_ you allow password authenti-
cation), then there's no reason to worry.  If any of those
are not OK, then fix them first, because blackholing IPs
won't save you anyway.

Best regards

Oliver Fromme,  secnetix GmbH & Co KG, Marktplatz 29, 85567 Grafing
Any opinions expressed in this message may be personal to the author
and may not necessarily reflect the opinions of secnetix in any way.

Passwords are like underwear.  You don't share them,
you don't hang them on your monitor or under your keyboard,
you don't email them, or put them on a web site,
and you must change them very often.

More information about the freebsd-ipfw mailing list