Banning ips for some time?

Erik Norgaard norgaard at
Tue Jan 25 01:31:42 PST 2005

Christian Tischler wrote:
> as I have an DSL line witch is 24/7 online (coming from an big and 
> popular provider)  my servers sshd reports 30 to 50 failed 
> root/operator/etc. logins a day. I would like to block the incoming ip 
> for a few days automaticly after e.g failed login requests.
> Currently I am using ipf, but it would be no problem to use any other 
> FreeBSD firewall.
> This is not only for security reasons, but also to shorten the daily 
> security run output :-)

Q: Do you think that you will see new attempts from the same ip in one 
of the following days?

A: Likely not the same ip - but posibly from the same block of ip's => 
won't help much to block specific ip's.

Q: Do you consider it plausible that after a few days legitimate 
connections will originate from those ip's?

A: Likely not, but if so, you have no way of predicting from which ip 
and when => if you need open access, then blocking temporary will block 
legitimate connections, if not, then opening again will open for 
ilegitimate connections.

Q: Is your system more vulnerable after failed login attempts to non 
existent accounts?

A: Your system will only be more vulnerable if you can assume the 
attacker will come back and continue from where he left off. But, 
changing passwords will not help, unless you choose something that has 
been tested and you know he will not test the same password twice.

Conclusion: If you can setup fixed rules for where legitimate 
connections will originate, do so and block everything else. Otherwise, 
all attempts to improve security or shorten the security daily will fail.

I have a script that may help you create country based rules:

Cheers, Erik
Ph: +34.666334818                           web:
S/MIME Certificate:
Subject ID:  A9:76:7A:ED:06:95:2B:8D:48:97:CE:F2:3F:42:C8:F2:22:DE:4C:B9
Fingerprint: 4A:E8:63:38:46:F6:9A:5D:B4:DC:29:41:3F:62:D3:0A:73:25:67:C2

More information about the freebsd-questions mailing list