----- Forwarded message from Mark Frasa <[EMAIL PROTECTED]> ----- From: Mark Frasa <[EMAIL PROTECTED]> Subject: Re: Adding network & IP to hosts.deny To: Pelle Andersson <[EMAIL PROTECTED]> Reply-To: Mark Frasa <[EMAIL PROTECTED]> Date: Mon, 11 Oct 2004 13:05:04 +0200 User-Agent: Mutt/1.5.6i Message-ID: <[EMAIL PROTECTED]>
On 2004.10.11 12:53:20 +0200, Pelle Andersson wrote:
>
> Thanks all for you replys!
>
> Yes the IP addresses is changing all the time. The pages I serve
> are for one country only (.se) so I think I can block whole nets
> without any problem. If the pages where International there would
> be a problem I think.
>
> 2 new questions.
>
> 1. Is it possible to block a whole network with IPFW?
>
> Like this for example:
> ---
> ${fwcmd} add 961 deny IP from 192.168.100.0/24 to any
> ---
>
> 2. Do I also need to raise the number 961 by one in the above line for
> each
> new rule-line I add?
>
>
>
> In the meantime, I need/want/must to learn IPFW =)
>
> Thank again,
> Best regards
>
>
>
>
>
>
>
>
>
> Rob wrote:
>
> > uidzero wrote:
> >
> >> Pelle Andersson wrote:
> >>
> >>> Hi!
> >>>
> >>> I have a lot of login attempts from various networks and IP
> >>> addresses on my FBSD 4.10 server. I have read the man pages for
> >>> hosts.deny but do not understand how to add networks and IP
> addresses to it.
> >>>
> >>
> >> I use "/etc/rc.ipfw"...
> >>
> >>
> >> ${fwcmd} add 300 deny IP from 24.19.0.105 to any ${fwcmd} add 301
> >> deny IP from 24.79.68.179 to any ${fwcmd} add 400 deny IP from
> >> 61.100.180.125 to any ${fwcmd} add 401 deny IP from 61.206.125.28
> to
> >> any ${fwcmd} add 402 deny IP from 61.211.239.236 to any ${fwcmd}
> add
> >> 500 deny IP from 63.144.19.6 to any ${fwcmd} add 501 deny IP from
> >> 64.246.20.123 to any ${fwcmd} add 502 deny IP from 66.223.46.129 to
>
> >> any ${fwcmd} add 503 deny IP from 67.81.127.99 to any ${fwcmd} add
> >> 600 deny IP from 81.223.99.90 to any ${fwcmd} add 700 deny IP from
> >> 140.112.124.123 to any ${fwcmd} add 701 deny IP from 159.226.2.161
> to
> >> any ${fwcmd} add 702 deny IP from 163.25.65.3 to any ${fwcmd} add
> 703
> >> deny IP from 193.145.87.3 to any ${fwcmd} add 800 deny IP from
> >> 202.57.191.179 to any ${fwcmd} add 801 deny IP from 202.226.185.150
>
> >> to any ${fwcmd} add 810 deny IP from 203.71.62.9 to any ${fwcmd}
> add
> >> 113 deny IP from 203.98.166.25 to any ${fwcmd} add 812 deny IP from
>
> >> 203.115.96.151 to any ${fwcmd} add 813 deny IP from 203.169.248.5
> to
> >> any ${fwcmd} add 814 deny IP from 203.186.157.37 to any ${fwcmd}
> add
> >> 830 deny IP from 205.209.141.50 to any ${fwcmd} add 870 deny IP
> from
> >> 209.88.93.138 to any ${fwcmd} add 871 deny IP from 209.172.103.235
> to
> >> any ${fwcmd} add 880 deny IP from 210.204.129.11 to any ${fwcmd}
> add
> >> 890 deny IP from 211.60.219.250 to any ${fwcmd} add 891 deny IP
> from
> >> 211.221.246.28 to any ${fwcmd} add 892 deny IP from 211.251.71.2 to
>
> >> any ${fwcmd} add 893 deny IP from 211.252.9.126 to any ${fwcmd} add
>
> >> 940 deny IP from 216.29.112.126 to any ${fwcmd} add 950 deny IP
> from
> >> 217.172.182.148 to any ${fwcmd} add 960 deny IP from 218.21.129.105
>
> >> to any ${fwcmd} add 961 deny IP from 218.49.183.17 to any ${fwcmd}
> >> add 962 deny IP from 218.102.19.78 to any ${fwcmd} add 963 deny IP
> >> from 218.237.66.152 to any ${fwcmd} add 970 deny IP from
> >> 220.64.223.249 to any ${fwcmd} add 971 deny IP from 220.73.215.151
> to
> >> any ${fwcmd} add 980 deny IP from 221.3.131.80 to any ${fwcmd} add
> >> 981 deny IP from 221.12.11.118 to any ${fwcmd} add 982 deny IP from
>
> >> 222.56.118.124 to any
> >
> >
> > I have attacks by similar IP numbers. However, I discovered that
> these
> > IP numbers are used only once to attack my PC.
> > Next attack will be from a different IP number. So adding the IP
> > numbers to your list each time after an attack, will make your
> > deny-list longer and longer, but won't make it more effective, since
>
> > it doesn't protect you against the attackers next attempts.
> >
> > Unless, of course, someone is attacking again and again from the
> same
> > IP number; but that is not what I observe.
> >
> > Rob.
> >
> >
>
> Actually, quite a few has attempted several times from the same IPs. I
> figure if it gets to big, I'll just block the whole class. What do I
> care if a whole country can't access my lil webserver? :)
>
> Thanks for the comment.
>
> Michael
>
> --
> Michael D. Whities
> [EMAIL PROTECTED]
> http://www.one-arm.com
>
> --
>
> There are four colors of hats to watch for:
> Black, White, Grey, and Red.
>
> The meanings are:
> Cracker, Hacker, Guru, and Victim.
>
> _______________________________________________
> [EMAIL PROTECTED] mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to
> "[EMAIL PROTECTED]"
>
> _______________________________________________
> [EMAIL PROTECTED] mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Hi,
Q1 > Yes, you can add like /24 behind the ip-address to specify a range.
Q2 > The best thing is to raise the number for each rule, when you later on have to
debug, you can delete for instance number 961 which will contain only 1
line. IE if you give 5 rules the same number you will delete all 5 when you type:
ipfw delete 961
Mark.
----- End forwarded message -----
pgpY6kx7GDMeY.pgp
Description: PGP signature
