# how to block attacking to 11034 port



## sowanted (Dec 3, 2010)

hi ,

i have a game in my freebsd server. 11034 is my game's login port. somebady attacking to 11034 and disabled to my game login when attacking. how i can block this attack with ipfw or other ways.


----------



## DutchDaemon (Dec 4, 2010)

http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls.html


----------



## sowanted (Dec 4, 2010)

i dont know good english i need basic expositon please help me.


----------



## Beastie (Dec 4, 2010)

The documentation is available in other languages.


----------



## sowanted (Dec 5, 2010)

there arent any documentation http://www.freebsd.org/doc/tr/articles/explaining-bsd/


----------



## SirDice (Dec 5, 2010)

If you block that port nobody will be able to play on your gameserver.


----------



## graudeejs (Dec 5, 2010)

security/knock - can also help you (at some point)


----------



## EdGe (Dec 5, 2010)

The OP asks how to block attacks to the game servers port.
Question to the audience, to do this, how about security/py-fail2ban or security/bruteblock

Fail2ban


> Fail2ban scans log files like /var/log/pwdfail or /var/log/apache/error_log and bans IP that makes too many password failures. It updates firewall rules to reject the IP address.



Bruteblock


> Bruteblock allows system administrators to block various bruteforce attacks on UNIX services. The program analyzes system logs and adds attacker's IP address into ipfw2 table effectively blocking them. Addresses are automatically removed from the table after specified abound of time.



For the documentation, a online translation might helpful. Or a turkish FreeBSD email list.


----------



## SirDice (Dec 6, 2010)

EdGe said:
			
		

> The OP asks how to block attacks to the game servers port.


I was well aware what the OP asked for.


> Question to the audience, to do this, how about security/py-fail2ban or security/bruteblock


Neither is going to work in this case because neither can read the game server's logs. Both tools only respond when they detect a certain line in the log file that indicates a failed login attempt.


----------



## mix_room (Dec 6, 2010)

```
(max-src-conn-rate 3/30, overload <ssh-bruteforce> flush global)
```

Use pf and the overload tables.


----------



## sowanted (Dec 20, 2010)

hi, somebady attaking my 11034 port how i can fix this? i cant block 11034 because the game using for login this port in my server.


----------



## sowanted (Dec 22, 2010)

still i cant fix it.


----------



## DutchDaemon (Dec 22, 2010)

You have been given plenty of information and links. We're not going to do it _for_ you, I'm afraid.


----------



## sowanted (Dec 25, 2010)

*How to block attack 13000 port*

Hellow
i am using ipfw, freebsd 7.2 32 bit

my ipfw.rules

```
IPF="ipfw -q add"
ipfw -q -f flush

#P2P FiXX
$IPF 4 allow all from 94.102.0.120 to any 12001
$IPF 5 allow all from 127.0.0.0/8 to any 12001
$IPF 6 deny all from any to me 12001
$IPF 7 allow all from 94.102.0.120 to any 14000
$IPF 8 allow all from 127.0.0.0/8 to any 14000
$IPF 9 deny all from any to me 14000
$IPF 10 allow all from 94.102.0.120 to any 14001
$IPF 11 allow all from 127.0.0.0/8 to any 14001
$IPF 12 deny all from any to me 14001
$IPF 13 allow all from 94.102.0.120 to any 14002
$IPF 14 allow all from 127.0.0.0/8 to any 14002
$IPF 15 deny all from any to me 14002
$IPF 16 allow all from 94.102.0.120 to any 14003
$IPF 17 allow all from 127.0.0.0/8 to any 14003
$IPF 18 deny all from any to me 14003
$IPF 19 allow all from 94.102.0.120 to any 14004
$IPF 20 allow all from 127.0.0.0/8 to any 14004
$IPF 21 deny all from any to me 14004
$IPF 22 allow all from 94.102.0.120 to any 14061
$IPF 23 allow all from 127.0.0.0/8 to any 14061
$IPF 24 deny all from any to me 14061
$IPF 25 allow all from 94.102.0.120 to any 14099
$IPF 26 allow all from 127.0.0.0/8 to any 14099
$IPF 27 deny all from any to me 14099
$IPF 28 allow all from 94.102.0.120 to any 17000
$IPF 29 allow all from 127.0.0.0/8 to any 17000
$IPF 30 deny all from any to me 17000
$IPF 31 allow all from 94.102.0.120 to any 17001
$IPF 32 allow all from 127.0.0.0/8 to any 17001
$IPF 33 deny all from any to me 17001
$IPF 34 allow all from 94.102.0.120 to any 17002
$IPF 35 allow all from 127.0.0.0/8 to any 17002
$IPF 36 deny all from any to me 17002
$IPF 37 allow all from 94.102.0.120 to any 17003
$IPF 38 allow all from 127.0.0.0/8 to any 17003
$IPF 39 deny all from any to me 17003
$IPF 40 allow all from 94.102.0.120 to any 17004
$IPF 41 allow all from 127.0.0.0/8 to any 17004
$IPF 42 deny all from any to me 17004
$IPF 43 allow all from 94.102.0.120 to any 17061
$IPF 44 allow all from 127.0.0.0/8 to any 17061
$IPF 45 deny all from any to me 17061
$IPF 46 allow all from 94.102.0.120 to any 17099
$IPF 47 allow all from 127.0.0.0/8 to any 17099
$IPF 48 deny all from any to me 17099
$IPF 49 allow all from 94.102.0.120 to any 19000
$IPF 50 allow all from 127.0.0.0/8 to any 19000
$IPF 51 deny all from any to me 19000
$IPF 52 allow all from 94.102.0.120 to any 19001
$IPF 53 allow all from 127.0.0.0/8 to any 19001
$IPF 54 deny all from any to me 19001
$IPF 55 allow all from 94.102.0.120 to any 19002
$IPF 56 allow all from 127.0.0.0/8 to any 19002
$IPF 57 deny all from any to me 19002
$IPF 58 allow all from 94.102.0.120 to any 19003
$IPF 59 allow all from 127.0.0.0/8 to any 19003
$IPF 60 deny all from any to me 19003
$IPF 61 allow all from 94.102.0.120 to any 19004
$IPF 62 allow all from 127.0.0.0/8 to any 19004
$IPF 63 deny all from any to me 19004
$IPF 64 allow all from 94.102.0.120 to any 19061
$IPF 65 allow all from 127.0.0.0/8 to any 19061
$IPF 66 deny all from any to me 19061
$IPF 67 allow all from 94.102.0.120 to any 19099
$IPF 68 allow all from 127.0.0.0/8 to any 19099
$IPF 69 deny all from any to me 19099
$IPF 70 allow all from 94.102.0.120 to any 21000
$IPF 71 allow all from 127.0.0.0/8 to any 21000
$IPF 72 deny all from any to me 21000
$IPF 73 allow all from 94.102.0.120 to any 21001
$IPF 74 allow all from 127.0.0.0/8 to any 21001
$IPF 75 deny all from any to me 21001
$IPF 76 allow all from 94.102.0.120 to any 21002
$IPF 77 allow all from 127.0.0.0/8 to any 21002
$IPF 78 deny all from any to me 21002
$IPF 79 allow all from 94.102.0.120 to any 21003
$IPF 80 allow all from 127.0.0.0/8 to any 21003
$IPF 81 deny all from any to me 21003
$IPF 82 allow all from 94.102.0.120 to any 21004
$IPF 83 allow all from 127.0.0.0/8 to any 21004
$IPF 84 deny all from any to me 21004
$IPF 85 allow all from 94.102.0.120 to any 21061
$IPF 86 allow all from 127.0.0.0/8 to any 21061
$IPF 87 deny all from any to me 21061
$IPF 88 allow all from 94.102.0.120 to any 21099
$IPF 89 allow all from 127.0.0.0/8 to any 21099
$IPF 90 deny all from any to me 21099
$IPF 91 allow all from 94.102.0.120 to any 15001
$IPF 92 allow all from 127.0.0.0/8 to any 15001
$IPF 93 deny all from any to me 15001
$IPF 200 allow tcp from any to any 11002 in
$IPF 210 allow tcp from any to any 11002 out
$IPF 200 allow udp from any to any 11002 in
$IPF 210 allow udp from any to any 11002 out
$IPF 200 allow tcp from any to any 13000 in
$IPF 210 allow tcp from any to any 13000 out
$IPF 200 allow tcp from any to any 13001 in
$IPF 210 allow tcp from any to any 13001 out
$IPF 200 allow tcp from any to any 13002 in
$IPF 210 allow tcp from any to any 13002 out
$IPF 200 allow tcp from any to any 13003 in
$IPF 210 allow tcp from any to any 13003 out
$IPF 200 allow tcp from any to any 13004 in
$IPF 210 allow tcp from any to any 13004 out
$IPF 200 allow tcp from any to any 13061 in
$IPF 210 allow tcp from any to any 13061 out
$IPF 200 allow tcp from any to any 13099 in
$IPF 210 allow tcp from any to any 13099 out


#Standart Regeln

$IPF 10000 allow all from any to any via lo0
$IPF 20000 deny all from any to 127.0.0.0/8
$IPF 30000 deny all from 127.0.0.0/8 to any
#$IPF 30000 deny all from ant to me 16000
$IPF 40000 allow all from any to any
```

my netstat -an >


```
Active Internet connections (including servers)
Proto Recv-Q Send-Q  Local Address          Foreign Address        (state)
tcp4       0      0 94.102.0.120.13000     78.179.205.187.57011   SYN_RCVD
tcp4       0      0 94.102.0.120.13000     78.179.205.187.56995   SYN_RCVD
tcp4       0      0 94.102.0.120.13000     78.171.108.121.4817    SYN_RCVD
tcp4       0      0 94.102.0.120.13000     88.246.114.134.4721    SYN_RCVD
tcp4       0      0 94.102.0.120.13000     88.226.86.165.1342     SYN_RCVD
tcp4       0      0 94.102.0.120.13000     88.226.86.165.1318     SYN_RCVD
tcp4       0      0 94.102.0.120.13000     88.226.86.165.1314     SYN_RCVD
tcp4       0      0 94.102.0.120.13000     88.226.86.165.1308     SYN_RCVD
tcp4       0      0 94.102.0.120.13000     88.226.86.165.1302     SYN_RCVD
tcp4       0      0 94.102.0.120.13000     88.226.86.165.1238     SYN_RCVD
tcp4       0      0 94.102.0.120.13000     88.226.86.165.1138     SYN_RCVD
tcp4       0      0 94.102.0.120.13000     88.226.86.165.1080     SYN_RCVD
tcp4       0      0 94.102.0.120.13000     88.226.86.165.1058     SYN_RCVD
tcp4       0      0 94.102.0.120.13000     88.226.86.165.1044     SYN_RCVD
tcp4       0      0 94.102.0.120.13000     88.226.86.165.1038     SYN_RCVD
tcp4       0      0 94.102.0.120.13000     88.226.86.165.5000     SYN_RCVD
tcp4       0      0 94.102.0.120.13000     88.226.86.165.4962     SYN_RCVD
tcp4       0      0 94.102.0.120.13000     88.226.86.165.4956     SYN_RCVD
tcp4       0      0 94.102.0.120.13000     88.226.86.165.4910     SYN_RCVD
tcp4       0      0 94.102.0.120.13000     88.226.86.165.4906     SYN_RCVD
tcp4       0      0 94.102.0.120.13000     88.243.168.92.1150     SYN_RCVD
tcp4       0      0 94.102.0.120.13000     95.10.246.185.22212    SYN_RCVD
tcp4       0      0 94.102.0.120.13000     95.10.246.185.22210    SYN_RCVD
tcp4       0      0 94.102.0.120.13000     88.241.135.0.4034      SYN_RCVD
tcp4       0      0 94.102.0.120.13000     85.98.121.56.32937     SYN_RCVD
tcp4       0      0 94.102.0.120.13000     88.226.5.4.60363       SYN_RCVD
tcp4       0      0 94.102.0.120.13000     88.226.5.4.60353       SYN_RCVD
tcp4       0      0 94.102.0.120.13000     88.226.5.4.60349       SYN_RCVD
tcp4       0      0 94.102.0.120.13000     88.226.5.4.60347       SYN_RCVD
tcp4       0      0 94.102.0.120.13000     88.226.5.4.60343       SYN_RCVD
tcp4       0      0 94.102.0.120.13000     88.226.5.4.60341       SYN_RCVD
tcp4       0      0 94.102.0.120.13000     88.226.5.4.60741       SYN_RCVD
tcp4       0      0 94.102.0.120.13000     88.226.5.4.60739       SYN_RCVD
tcp4       0      0 94.102.0.120.13000     88.226.5.4.60737       SYN_RCVD
tcp4       0      0 94.102.0.120.13000     88.226.5.4.60725       SYN_RCVD
tcp4       0      0 94.102.0.120.13000     88.226.5.4.60721       SYN_RCVD
tcp4       0      0 94.102.0.120.13000     95.10.222.91.1786      SYN_RCVD
tcp4       0      0 94.102.0.120.13000     95.10.222.91.1904      SYN_RCVD
tcp4       0      0 94.102.0.120.13000     95.10.222.91.1886      SYN_RCVD
tcp4       0      0 94.102.0.120.13000     78.184.192.60.1517     SYN_RCVD
tcp4       0      0 94.102.0.120.13000     78.179.205.187.57012   SYN_RCVD
tcp4       0      0 94.102.0.120.13000     78.189.17.248.1093     SYN_RCVD
tcp4       0      0 94.102.0.120.13000     78.189.17.248.1091     SYN_RCVD
tcp4       0      0 94.102.0.120.13000     78.189.17.248.1089     SYN_RCVD
more...
...
...
..
```


Thanks,


----------



## DutchDaemon (Dec 25, 2010)

There's no need to open a new topic for the same question.


----------



## DutchDaemon (Dec 25, 2010)

If IPF does not have overload protection, switch to a firewall that does, like PF.


----------



## sowanted (Dec 25, 2010)

mix_room said:
			
		

> ```
> (max-src-conn-rate 3/30, overload <ssh-bruteforce> flush global)
> ```
> 
> Use pf and the overload tables.



Please write for me all rules?


----------



## DutchDaemon (Dec 25, 2010)

You must be joking, those rules are for an entirely different application. Do your homework. 

pf.conf(5)
http://www.openbsd.org/faq/pf/


----------



## sowanted (Dec 26, 2010)

Sorry i dont know good english so i want rule. 

i tried this rule:

```
block quick from <snort2c> to any label "Block snort2c hosts"
    (max-src-conn 10, max-src-conn-rate 5/2, flush)
```

But it isnt work. i tried block ip with this command : `pfctl -t blockedips -T add 85.101.146.226` 

but it isnt work too. Still i have under attack..

Command:

```
netstat -na | awk '{print $5}' | cut -f1,2,3,4 -d '.' | sort | uniq -c | sort -n
Print:

..
more..
  16 127.0.0.1
  31 *.*
  42 94.102.0.123
  62 0
 850 95.7.227.212
1500 85.101.146.226
```

thanks.


----------

