securing SSH, FBSD systems

Francisco Reyes lists at
Fri Jun 3 18:02:16 GMT 2005

On Fri, 3 Jun 2005, fbsd_user wrote:

> I am running ipfilter firewall and I ran test to see who gets access
> to the packet first (IE: firewall or route command). Normally I have
> inbound FTP port 21 denied in my firewall. I changed that rule to
> allow and log so I could see all the packets flow through. I had
> buddy run FTP to my server over public internet.
> Pass-1. log shows passive ftp access to my server from public
> internet.
> Pass-2. First I issued route blackhole command on ip address of
> friends system. Then had friend run same FTP access request to my
> server. This time firewall log still shows inbound packet on port 21
> passing in  and out but friends FTP session says connection error.
> Pass-3. did  route delete for ip address and had test rerun and ftp
> worked like expected.
> Conclusion.  The route blackhole command gets control after being
> allowed through firewall. Since IPFW and PF access the packet the
> same way IPFilter does this hold true for all of them.

This short answer is I don't know but it's possible it's the same.

> The use of the route blankhole command is a specific solution for
> circumstances where the stand public port number can not be changed
> to some port number so it's not attacked. I now understand why it's
> a perfect workaround for your ssh attack problem.

Based on the feedback I got the route command uses a non linear type of 
database where as IPFW is just a linear list.

My list of IPs to blackhole is around 400 and growing. That's why in my 
case I continue to use route/blackholing.

> PS. I have been using the abuse-reporting-scripts to report this
> kind of stuff to the ISP who owns the attackers IP address. This has
> resulted in many ISP's terminating the attackers account.

> You can download the abuse-reporting-scripts from

Thanks for the link. Didn't know about those, however I often check the IP 
of the attacker to see where in the world they are coming from and a large 
number of IPs are coming from china. Not sure how responsive the ISPs 
there will be.

More information about the freebsd-questions mailing list