olli at lurza.secnetix.de
Thu Dec 21 07:33:29 PST 2006
Suhail Choudhury <suhailc at gmail.com> wrote:
> What's the easiest way to add an IP such as 220.127.116.11 to block it?
# ipfw add deny ip from 18.104.22.168 to me
Depending on your existing rules, you might have to specify
a rule number, so the new rule is inserted at an appropriate
Please refer to the ipfw(8) manual page for details.
> Also how do I block out IPs after a certain number of invalid login
> attempts to prevent brute forcing?
In general that's not a good idea. If you do it wrong, it
makes DoS attacks against your machine easier (i.e. a clever
attacker might be able to lock yourself out of your own
machine). And getting it right is not easy.
The best way to prevent brute-forcing is to use good pass-
words, or -- even better -- don't use passwords at all, but
key authentication or OTP (SKey / OPIE).
Another thing that you can do is to move the sshd to a non-
standard port (i.e. something other than 22). Attackers
who look for machines for brute-forcing usually scan
networks for port 22 only. However, note that using a
non-standard port does _not_ make your machine more secure
(that would rather be "security by obscurity"). It only
prevents your machine from appearing in standard ssh scans,
so it gets rid of almost all of the "ssh login failures"
in your daily run output which result from such attempts.
Oliver Fromme, secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing
Dienstleistungen mit Schwerpunkt FreeBSD: http://www.secnetix.de/bsd
Any opinions expressed in this message may be personal to the author
and may not necessarily reflect the opinions of secnetix in any way.
"We, the unwilling, led by the unknowing,
are doing the impossible for the ungrateful.
We have done so much, for so long, with so little,
we are now qualified to do anything with nothing."
-- Mother Teresa
More information about the freebsd-stable