bruteforce protection howto
norgaard at locolomo.org
Sun Mar 21 01:33:45 UTC 2010
On 20/03/10 23:17, Vadkan Jozsef wrote:
> What's the best method to ban that ip [what is bruteforcig a server]
> what was logged on the logger?
> I need to ban the ip on the router pc.
Take your time to think about if this is indeed the right solution.
1st: You need to decide which is the right policy to deploy. Basically
you can opt for a default deny or a default allow. With default deny you
create white lists for the exceptions that should be allows. With
default allow you create black lists. Default deny and default allow
roughly corresponds to the policies of OpenBSD vs. Microsoft Windows.
So, when is white listing an option? When you have a limited set of
exceptions, for example your local users that need ssh access. If this
set is limited consider deploying default deny. On the other hand, this
is not an option for your web service that you wish to provide for
Blacklisting is futile (think, did anti-virus solve the virus problem?).
Intruders may attempt to connect from anywhere, blocking a single IP
won't solve your problem, most likely the next attempt will not come
from that IP. This is because these attacks may be launched from a
number of compromised pc's and because the attacking pc may have
dynamically assigned address. So you need to block entire ranges, but
I recently analysed my maillog to see where attempted spammers connected
from. I found some 3500 hosts in 1600 ranges (using whois lookup). These
ranges being typically /16. I haven't tried with ssh but I doubt it
would be much different.
If on top of this you make some auto-respond system, you expose yourself
to a denial of service attack, blindly blocking anything that creates a
Whether you use white or black listing this is effective only if you can
make informed decisions. If you don't do business with say China and you
know that 25% of all spam originates from China, it is only rational to
block access from China.
But, whenever possible, use white listing.
Ph: +34.666334818/+34.915211157 http://www.locolomo.org
More information about the freebsd-questions