On 01/10/05 07:42 PM, Jez Hancock sat at the `puter and typed: > On Mon, 10 Jan 2005 12:23:04 -0500, Louis LeBlanc > <[EMAIL PROTECTED]> wrote: > > On 01/10/05 12:20 AM, artware sat at the `puter and typed: > > > Hello again, > > > > > > My 5.3R system has only been up a little over a week, and I've already > > > had a few breakin attempts -- they show up as Illegal user tests in > > > the /var/log/auth.log... It looks like they're trying common login > > > names (probably with the login name used as passwd). It takes them > > > hours to try a dozen names, but I'd rather not have any traffic from > > > these folks. Is there any way to blacklist IPs at the system level, or > > > do I have to hack something together for each daemon? > > > > > > The best defense is a good firewall, good passwords, and restriction of > > user ids that may login remotely. > > I started blocking the addresses that attacked but the frequency of > the attacks made it impractical to add every attacking address to the > firewall ruleset. I came to the conclusion that as long as the items > you mention above are in place - especially good passwords - and the > attacks aren't saturating the connection, then there's little to worry > about - perhaps on a par with portscanning.
You're right there, but I figure I'm going to get hundreds or thousands of IPs if I block the CIDR spec. It's a little heavy handed, but those networks will often beget dozens of attacks over a space of a couple weeks sometimes, and often no two come from the same IP. Whether it's the same system is anyones guess, but unless they get a new provider, they have no access to my system. > Another fairly simple option though is to just change the port that > sshd listens on since the attacks presume that sshd is listening on > port 22. Not always practical though if you have lots of users. I've seen this recommended here many times. I haven't done it because I work on too many systems that I don't have that kind of control over, and I don't need to confuse myself with nonstandard configs. I already have 2 or 3 dozen passwords to remember :| Lou -- Louis LeBlanc [EMAIL PROTECTED] Fully Funded Hobbyist, KeySlapper Extrordinaire :) http://www.keyslapper.org ԿԬ I have yet to see any problem, however complicated, which, when you looked at it in the right way, did not become still more complicated. -- Poul Anderson _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
