06.13-Defending_Against_ Attacks

06.13-Defending_Against_ Attacks

it's written for FreeBSD but it has some good info for any *BSD version. My favorite part is this:

Stopping Login Attacks

Using the customary port numbers or alternate port numbers for SSH, FTP, or
Telnet all failed logins are logged to /var/log/auth.log file. In most cases the
sending IP address is the real IP address of the attacker. In the long term the
solution is to do whois on the attackers IP address and report him to the ISP
who owns the IP address.

In the short term to stop the login attack in progress many people will add a
"deny this IP address" rule to their firewall rule set file. Yes this will stop
the attack immediately, but when a firewall keeps all these special "deny this
IP address" rules the firewall becomes very hard to maintain as that list of
denied IP address rules grows longer. A far better solution is to separate the
denied IP address list from the firewall rule set. This can be done using the
"routed blackhole" command.

Example:

To Add use
route add -host attacker_ip 127.0.0.1
-blackhole

To Delete use
route delete -host attacker_ip 127.0.0.1 -blackhole

To List use
netstat -nrgrep 127

This is executed in the IP stack and is faster than in the firewall when you
have over 20 of those special "deny this IP address" rules in the firewall. The
"attacker_ip" in found in the log records in
/var/log/auth.log file.