Banning ips for some time?
norgaard at locolomo.org
Tue Jan 25 01:31:42 PST 2005
Christian Tischler wrote:
> as I have an DSL line witch is 24/7 online (coming from an big and
> popular provider) my servers sshd reports 30 to 50 failed
> root/operator/etc. logins a day. I would like to block the incoming ip
> for a few days automaticly after e.g failed login requests.
> Currently I am using ipf, but it would be no problem to use any other
> FreeBSD firewall.
> This is not only for security reasons, but also to shorten the daily
> security run output :-)
Q: Do you think that you will see new attempts from the same ip in one
of the following days?
A: Likely not the same ip - but posibly from the same block of ip's =>
won't help much to block specific ip's.
Q: Do you consider it plausible that after a few days legitimate
connections will originate from those ip's?
A: Likely not, but if so, you have no way of predicting from which ip
and when => if you need open access, then blocking temporary will block
legitimate connections, if not, then opening again will open for
Q: Is your system more vulnerable after failed login attempts to non
A: Your system will only be more vulnerable if you can assume the
attacker will come back and continue from where he left off. But,
changing passwords will not help, unless you choose something that has
been tested and you know he will not test the same password twice.
Conclusion: If you can setup fixed rules for where legitimate
connections will originate, do so and block everything else. Otherwise,
all attempts to improve security or shorten the security daily will fail.
I have a script that may help you create country based rules:
Ph: +34.666334818 web: http://www.locolomo.org
S/MIME Certificate: http://www.locolomo.org/crt/2004071206.crt
Subject ID: A9:76:7A:ED:06:95:2B:8D:48:97:CE:F2:3F:42:C8:F2:22:DE:4C:B9
More information about the freebsd-questions