Temporarily blocking ports

Chris eagletree at hughes.net
Sat Nov 29 12:47:38 PST 2008

On Nov 29, 2008, at 11:39 AM, Jos Chrispijn wrote:

> Can someone hint me how I can block ports for let's say 30 minutes  
> if someone repeatedly tries to do a SSH login?
> I use ipfw as firewall...
If you mean the statement as entered while you are watching,
something like:

ipfw add 0922 deny tcp from nn.nn.nn.nn to me dst-port 22

where 922 is some line prior to your normal allow statements for ssh
nn.nn.nn.nn is the address you'd prefer to block.

If you mean an automated way, put this in a perl program,
sleep for 30 minutes and then do a ipfw delete 0922. Your
program will need to run as root of course.

Doing things like this tends to be risky if you aren't careful.
If you don't have anti-spoofing and perhaps even some
careful whitelisting rules, depending on how you identify
an attack, schemes such as this can be turned
against you once you automate it.

I think a better way is to allow only ip addresses you want to
connect on ssh to start a session with setup keep-state and
then include a specific deny for all ssh connections following that
statement. If you have connections coming in from certain
nets but dynamically assigned addresses, only allow those
ranges and block all others. That will dramatically reduce the
audience of casual brute force attackers.

An even tighter practice is to turn off all password logins and
use only keyed connections. This is easier than it might seem
though I'll admit I think of ssh as something only a select
number of users may use and thus you know them by name
and what IPs they are permitted to connect on.

> regards,
> Jos Chrispijn
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "freebsd-questions- 
> unsubscribe at freebsd.org"

More information about the freebsd-questions mailing list