Blacklisting IPs

Louis LeBlanc FreeBSD at
Mon Jan 10 12:00:48 PST 2005

On 01/10/05 07:42 PM, Jez Hancock sat at the `puter and typed:
> On Mon, 10 Jan 2005 12:23:04 -0500, Louis LeBlanc
> <FreeBSD at> wrote:
> > On 01/10/05 12:20 AM, artware sat at the `puter and typed:
> > > Hello again,
> > >
> > > My 5.3R system has only been up a little over a week, and I've already
> > > had a few breakin attempts -- they show up as Illegal user tests in
> > > the /var/log/auth.log... It looks like they're trying common login
> > > names (probably with the login name used as passwd). It takes them
> > > hours to try a dozen names, but I'd rather not have any traffic from
> > > these folks. Is there any way to blacklist IPs at the system level, or
> > > do I have to hack something together for each daemon?
> > 
> > 
> > The best defense is a good firewall, good passwords, and restriction of
> > user ids that may login remotely.
> I started blocking the addresses that attacked but the frequency of
> the attacks made it impractical to add every attacking address to the
> firewall ruleset.  I came to the conclusion that as long as the items
> you mention above are in place - especially good passwords - and the
> attacks aren't saturating the connection, then there's little to worry
> about - perhaps on a par with portscanning.

You're right there, but I figure I'm going to get hundreds or thousands
of IPs if I block the CIDR spec.  It's a little heavy handed, but those
networks will often beget dozens of attacks over a space of a couple
weeks sometimes, and often no two come from the same IP.  Whether it's
the same system is anyones guess, but unless they get a new provider,
they have no access to my system.

> Another fairly simple option though is to just change the port that
> sshd listens on since the attacks presume that sshd is listening on
> port 22.  Not always practical though if you have lots of users.

I've seen this recommended here many times.  I haven't done it because I
work on too many systems that I don't have that kind of control over,
and I don't need to confuse myself with nonstandard configs.  I already
have 2 or 3 dozen passwords to remember :|

Louis LeBlanc               FreeBSD at
Fully Funded Hobbyist, KeySlapper Extrordinaire :)                     Ô¿Ô¬

I have yet to see any problem, however complicated, which, when
you looked at it in the right way, did not become still more complicated.
    -- Poul Anderson

More information about the freebsd-questions mailing list