# Blocking IP addresses



## dpalme (Nov 17, 2009)

I recall vaguely in the past, having the ability to add Ip addresses to a file that would prevent them from ever connecting to the server, whether that was via www and apache, email, etc.

I have been searching google tonight trying to find the info, but so far I have come up empty.  Any suggestions? 

The reason I am asking, is that I have seen a huge increase in attempts to connect via ssh2 and I would like to just block them and be done with it.


----------



## SirDice (Nov 17, 2009)

dpalme said:
			
		

> I recall vaguely in the past, having the ability to add Ip addresses to a file that would prevent them from ever connecting to the server, whether that was via www and apache, email, etc.


It's called a firewall. http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls.html



> The reason I am asking, is that I have seen a huge increase in attempts to connect via ssh2 and I would like to just block them and be done with it.


security/sshguard and a few others could help.


----------



## mix_room (Nov 17, 2009)

```
/etc/hosts.allow
/etc/hosts.block
```

Those the files that you meant?


----------



## aragon (Nov 17, 2009)

Those files are only useful for daemons that support tcpwrappers.  Many don't, and even for those that do, a proper firewall like pf(4) or ipfw(8) is better.


----------



## philbenton (Nov 17, 2009)

I use IPFILTER. If that's what you're using, in /etc/ipf.rules you would have something like this to block all port 22 traffic:


```
block in log quick proto tcp/udp from any to any port = 22
```

or something like this to block a particular IP address:


```
block in log quick from 61.110.21.165/32 to any
```

Later down in the file, if you need access to port 22, you should allow connections from a specific IP address like this:


```
pass in log quick on em0 proto tcp from 111.222.333.444 to any port = 22 flags S/SA keep state
```


----------



## anomie (Nov 17, 2009)

I'd point out that FreeBSD's base system sshd is compiled with tcp wrapper support:

```
> ldd /usr/sbin/sshd | grep libwrap
	libwrap.so.4 => /usr/lib/libwrap.so.4 (0x280f5000)
```

I've heard the argument that a host-level firewall is a better approach, because you avoid the overhead of sshd ever handshaking (and evaluating an access control list). 

If you're already running a host-level firewall, it should be a no brainer to simply add rules filtering tcp port 22. (If not, I'd argue that tcp wrappers might be simpler and just as effective.)


----------



## Ruler2112 (Nov 18, 2009)

Just to toss my config out there - I have a pf firewall in place that blocks all traffic except what I specifically allow.  I also have tcpwrappers in place, logging details to a file that I've included in the daily cron job.  If somebody does manage to break through my firewall, tcpwrappers still denies the connection and the attacker will need to break that layer of security.  Plus, it'll be like a red flag in the server report that evening and I can take appropriate action when I arrive at work the following day.


----------

