Blacklisting IPs

Gene listmail at
Sun Jan 9 23:39:49 PST 2005

I have the same problem - numerous attempts to crack accounts like 
"admin", Guest", "test", and so on.

If it continually comes from the same IP, blocking that IP at the 
firewall should do the trick.
However, if the attempts come from varying IPs and you intend to allow 
logins from the Internet, then you'd need to block out an unwieldy 
number of IP addresses. The best bet in this case is to make sure your 
system is as secure as possible. Disable telnet and allow only ssh 
logins. Make sure you use strong passwords, or better, try one time 
passwords. (See the handbook.) I use ssh, no telnet from outside the 
lan, with ssh restricted to allow only certain users/groups to login, 
and all those groups use opie for one time passwords. In addition, the 
firewall (I use IPF) is pretty tight, only allowing through the services 
I want available outside the lan.

I do seem to recall a scheme that detects such things as port scans and 
automagically adds a rule to the firewall to block the offending IP 
address, but I doubt that would help in your case.

One other thing I have done: Since a great many of the attempts come 
from IPs that resolve to the "pl" top level domain, I've just blocked 
any ip address that resolves to that domain altogether. I don't really 
expect any interest in my web site to come from Poland, so the action is 
feasible for me.

I'm certain that others on the list will come up with better methods, 
but I just wanted to toss in my 2 cents worth.


artware wrote:

>Hello again,
>My 5.3R system has only been up a little over a week, and I've already
>had a few breakin attempts -- they show up as Illegal user tests in
>the /var/log/auth.log... It looks like they're trying common login
>names (probably with the login name used as passwd). It takes them
>hours to try a dozen names, but I'd rather not have any traffic from
>these folks. Is there any way to blacklist IPs at the system level, or
>do I have to hack something together for each daemon?
>- ben
>freebsd-questions at mailing list
>To unsubscribe, send any mail to "freebsd-questions-unsubscribe at"

More information about the freebsd-questions mailing list