|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Neil Neely (neil
neely.cx)
Date: Thu Aug 21 2008 - 14:28:30 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
I haven't explored this issue enough to speak with any authority - but
once upon a time I had an app doing tons of ipfw rule add/removes all
the time and we had no end of performance and stability problems on
that box (this would have been in 4.x or so timeline I expect). As
that approach wasn't really critical we abandoned it without really
digging into the details.
Years later a need for lots of rapid firewall changes came up again
and I drilled into it and found the use of tables was excellent for
doing this and it does the job very well. This is approach is on a
FreeBSD 6.3 box.
ipfw add 00550 deny ip from 'table(1)' to any
Then just add remove entries to table 1 via:
ipfw table 1 add 10.1.1.22/32
ipfw table 1 delete 10.1.1.22/32
show all entries in table 1 with:
ipfw table 1 list
Clear out the whole of table 1
ipfw table 1 flush
I can't be sure if this relates to your particular issue, but I would
recommend trying it out.
Neil Neely
http://neil-neely.blogspot.com
On Aug 21, 2008, at 11:38 AM, Mikhail Teterin wrote:
> Hello!
>
> A machine I manage remotely for a friend comes under a distributed
> ssh break-in attack every once in a while. Annoyed (and alarmed) by
> the messages like:
>
> Aug 12 10:21:17 symbion sshd[4333]: Invalid user mythtv from
> 85.234.158.180
> Aug 12 10:21:18 symbion sshd[4335]: Invalid user mythtv from
> 85.234.158.180
> Aug 12 10:21:20 symbion sshd[4337]: Invalid user mythtv from
> 85.234.158.180
> Aug 12 10:21:21 symbion sshd[4339]: Invalid user mythtv from
> 85.234.158.180
>
> I wrote an awk-script, which adds a block of the attacking IP-
> address to the ipfw-rules after three such "invalid user" attempts
> with:
>
> ipfw add 550 deny ip from ip
>
> The script is fed by syslogd directly -- through a syslog.conf rule
> ("|/opt/sbin/auth-log-watch").
>
> Once in a while I manually flush these rules... I this a good (safe)
> reaction?
> I'm asking, because the machine (currently running 7.0 as of July 7)
> hangs solid once every few weeks... My only guess is that a spike in
> attacks causes "too many" ipfw-entries created, which paralyzes the
> kernel due to some bug -- the machine is running natd and is the
> gateway for the rest of the network...
> The hangs could, of course, be caused by something else entirely,
> but my self-defense mechanism is my first suspect...
>
> Any comments? Thanks!
>
> -mi
>
> _______________________________________________
> freebsd-securityfreebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to "freebsd-security-unsubscribefreebsd.org
> "
_______________________________________________
freebsd-securityfreebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribefreebsd.org"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]