Blacklisting IPs

Jez Hancock jez.hancock at
Mon Jan 10 11:42:17 PST 2005

On Mon, 10 Jan 2005 12:23:04 -0500, Louis LeBlanc
<FreeBSD at> wrote:
> On 01/10/05 12:20 AM, artware sat at the `puter and typed:
> > Hello again,
> >
> > My 5.3R system has only been up a little over a week, and I've already
> > had a few breakin attempts -- they show up as Illegal user tests in
> > the /var/log/auth.log... It looks like they're trying common login
> > names (probably with the login name used as passwd). It takes them
> > hours to try a dozen names, but I'd rather not have any traffic from
> > these folks. Is there any way to blacklist IPs at the system level, or
> > do I have to hack something together for each daemon?
> The best defense is a good firewall, good passwords, and restriction of
> user ids that may login remotely.

I started blocking the addresses that attacked but the frequency of
the attacks made it impractical to add every attacking address to the
firewall ruleset.  I came to the conclusion that as long as the items
you mention above are in place - especially good passwords - and the
attacks aren't saturating the connection, then there's little to worry
about - perhaps on a par with portscanning.

Another fairly simple option though is to just change the port that
sshd listens on since the attacks presume that sshd is listening on
port 22.  Not always practical though if you have lots of users.

Jez Hancock
 - System Administrator / PHP Developer      - A FreeBSD Diary        - ipfw peruser traffic logging

More information about the freebsd-questions mailing list