Illegal access attempt - FreeBSD 5.4 Release - please advise
gayn.winters at bristolsystems.com
Wed Aug 24 15:45:53 GMT 2005
> -----Original Message-----
> From: owner-freebsd-questions at freebsd.org
> [mailto:owner-freebsd-questions at freebsd.org] On Behalf Of Michael Dale
> Sent: Wednesday, August 24, 2005 4:40 AM
> To: Hornet
> Cc: ro ro; freebsd-questions at freebsd.org
> Subject: Re: Illegal access attempt - FreeBSD 5.4 Release -
> please advise
> >Also, most if not all of the blocks below are Asia netblocks that I
> >have had more then 3 attempts to gain access to my servers.
> Not always a good idea. A lot of Australian users have been having
> issues because of people doing this. More info here:
Such automated blocking is becoming common in the better Intrusion
Detection Systems, which talk to their associated firewalls. If you are
creating what is effectively a simple IDS, here are a couple thoughts:
First, blocking reserved areas of the IP space seems a little different
than fighting malicious hackers and spammers, but in either case, see
Second, if someone legitimate is being blocked, they'll probably call
you. You can put an earlier rule in the firewall to let them in. If you
are running an ecommerce site, you might not want to block half the
world; invest in a more powerful firewall/IDS combination. See (iii)
Third, if you are automating the creation of your blocks (a good idea)
then you could also do the following:
(i) create blocks as narrow as possible given the attacks. First block
the IP address, then if several nearby addresses attack, block that
(ii) allow the blocks to time-out after a while (as many IDS blocks do).
If (i) turns them back on, then increase the length of the time-out.
(iii) review your blocks every now and then either by reviewing your
firewall logs or by having your (perl?) program check if (ii) turns off
a block only to have (i) turn it on again of if it never cycles.
BTW, our firewall blocks so many attacks per minute that its
multi-colored console display is better than a soap opera!
More information about the freebsd-questions