Blacklisting IPs

Ted Mittelstaedt tedm at toybox.placo.com
Mon Jan 10 23:20:26 PST 2005



> -----Original Message-----
> From: owner-freebsd-questions at freebsd.org
> [mailto:owner-freebsd-questions at freebsd.org]On Behalf Of Chris
> Sent: Monday, January 10, 2005 4:07 PM
> To: artware
> Cc: freebsd-questions at freebsd.org
> Subject: Re: Blacklisting IPs
> 
> 
> artware wrote:
> > Hello again,
> > 
> > My 5.3R system has only been up a little over a week, and 
> I've already
> > had a few breakin attempts -- they show up as Illegal user tests in
> > the /var/log/auth.log... It looks like they're trying common login
> > names (probably with the login name used as passwd). It takes them
> > hours to try a dozen names, but I'd rather not have any traffic from
> > these folks. Is there any way to blacklist IPs at the system 
> level, or
> > do I have to hack something together for each daemon?
> > 
> > - ben
> > _______________________________________________
> > freebsd-questions at freebsd.org mailing list
> > http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> > To unsubscribe, send any mail to 
> "freebsd-questions-unsubscribe at freebsd.org"
> > 
> > 
> 
> Here's what I do -
> 
> as root: route -nq add -host xxx.xxx.xxx.xxx 127.0.0.1 -blackhole
> 
> To the attacker, it looks as if you dropped off the net.
> 
>

This actually isn't the best advice since the incoming packets
from the attacker are still using up your bandwidth.

It's best to report them and it's not hard to do it.  There
are automated tools that will do it.  As the CTO of an ISP
let me tell you that we get about 1 of those reports every
few months - that is how few people are reporting them - and
we look closely at every one of them.  This isn't a situation
where the abuse departments of most ISP's are overflowing
with so many network abuse notifications that they aren't
interested in getting more of them.  Now spam notifications -
that's a different issue - few people reporting spam know
how to do it properly nor how to figure out where to correctly
report them, with the unfortunate result that they are quickly
becoming useless.  Only about 1 in 400 spam notifications I
get a week nowadays are even indicating spam coming from our IP
range, let alone indicating bona-fied spam.

Going after wannabes that are using our service to try breaking
into other computers is one of the enjoyable parts of my job,
to be honest.  It's a lot more fun then sending out form
e-mails to spam reports saying some polite variation of "look at
the source IP number that spam orginated from not the
domain name, dumbass"

Ted


More information about the freebsd-questions mailing list