Blacklisting IPs

Louis LeBlanc FreeBSD at
Mon Jan 10 09:22:57 PST 2005

On 01/10/05 12:20 AM, artware sat at the `puter and typed:
> Hello again,
> My 5.3R system has only been up a little over a week, and I've already
> had a few breakin attempts -- they show up as Illegal user tests in
> the /var/log/auth.log... It looks like they're trying common login
> names (probably with the login name used as passwd). It takes them
> hours to try a dozen names, but I'd rather not have any traffic from
> these folks. Is there any way to blacklist IPs at the system level, or
> do I have to hack something together for each daemon?

I get this all the time too.  I'm sure anyone with a *nix system on the
net does.

The source is a script, often run on a system that has already been
compromised.  Probably an attempt to crack hosting systems that provide
shell accounts to users - often they don't use very good passwords.  I
vaguely remember reading somewhere that there was an old Linux
vulnerability that they were attempting to exploit too.

The best defense is a good firewall, good passwords, and restriction of
user ids that may login remotely.

Check /etc/login.access.  You can define subnets from which groups of
users are allowed to login, prohibit remote login, etc.  I have only one
account that can login remotely, and I use a fairly secure password for
it - meaning not even remotely a dictionary word, even with the vowel

A practice one of my former co-workers liked was to pick a song and pull
letters out; take Fleetwood Mac: "Don't Stop Thinking About Tomorrow".
You could get "DSTAT", turn that into something else, like "dSt4T".
Pretty short, but definitely not a dictionary word.  You could even take
more letters from the next line" "Don't Stop, It'll Soon Be Here" and get
"dSt4TDs1SbH", or any number of derivations.  If you forget the actual
password, your song is an excellent hint.

You get the idea.  You can take this idea and apply it in a number of
ways to a number of subjects, concepts, etc.

I'm sure after reading this, someone else will post another favorite
password generation method, including the numerous ports available - I'd
like to see one that checks the security of a password rather than just
generating them.

As for the firewall and the originating IP, I follow a plain process:

Check the whois record of the offending IP
  If the IP is in Asia, Russia, or Nigeria, I drop the CIDR spec into my
    firewall <BLOCKED> table and never hear from anyone on the network
    again.  The CIDER spec is part of the whois record
  If the IP is in Western Europe or North America, I notify the abuse
    address to inform them they either have a cracker or a cracked

This practice has reduced these attempts considerably.  Each time I see
another, I add it to the blocked table (I use pf, not ipfw).

Many systems will not have the CIDR blocking option available, but I
have no expectation of legitimate traffic from areas that I do block.
If you have paying customers, you have to just deal with it and try to
lock things down in other ways.

Louis LeBlanc               FreeBSD at
Fully Funded Hobbyist, KeySlapper Extrordinaire :)                     Ô¿Ô¬

The first thing we do, let's kill all the lawyers.
    -- Wm. Shakespeare, "Henry VI", Part IV

More information about the freebsd-questions mailing list