Block IP

Oliver Fromme olli at
Thu Dec 21 07:33:29 PST 2006

Suhail Choudhury <suhailc at> wrote:
 > What's the easiest way to add an IP such as to block it?


# ipfw add deny ip from to me

Depending on your existing rules, you might have to specify
a rule number, so the new rule is inserted at an appropriate

Please refer to the ipfw(8) manual page for details.

 > Also how do I block out IPs after a certain number of invalid login
 > attempts to prevent brute forcing?

In general that's not a good idea.  If you do it wrong, it
makes DoS attacks against your machine easier (i.e. a clever
attacker might be able to lock yourself out of your own
machine).  And getting it right is not easy.

The best way to prevent brute-forcing is to use good pass-
words, or -- even better -- don't use passwords at all, but
key authentication or OTP (SKey / OPIE).

Another thing that you can do is to move the sshd to a non-
standard port (i.e. something other than 22).  Attackers
who look for machines for brute-forcing usually scan
networks for port 22 only.  However, note that using a
non-standard port does _not_ make your machine more secure
(that would rather be "security by obscurity").  It only
prevents your machine from appearing in standard ssh scans,
so it gets rid of almost all of the "ssh login failures"
in your daily run output which result from such attempts.

Best regards

Oliver Fromme,  secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing
Dienstleistungen mit Schwerpunkt FreeBSD:
Any opinions expressed in this message may be personal to the author
and may not necessarily reflect the opinions of secnetix in any way.

"We, the unwilling, led by the unknowing,
are doing the impossible for the ungrateful.
We have done so much, for so long, with so little,
we are now qualified to do anything with nothing."
        -- Mother Teresa

More information about the freebsd-stable mailing list