A firewall is your first line of defense, But if you allow public access to ports 22, SSH (secure shell), 23, Telnet, or 21, FTP these ports can be bombarded with login attempts using common ID/PW combinations probing for access. In the case of port 80, Web server it can be bombarded with access requests designed to consume server resources resulting in a denial of service to legitimate user requests. To the firewall these all look like legitimate packets.
All most 98 percent of the attackers are script kiddies. Their attacks are all most totally based on indiscriminate rolling through a range of sequential IP address. (IE: They never use DNS to lookup your domain name.) You were found by plain bad luck. They run scripts that only address the know ports listened on by those services. You use this knowledge to defend against this type of attack.
The simplest defense is to change the port numbers these services use. The /etc/services is where SSH, Telnet, and FTP port numbers are defined and where you would change them at. (Note: Your firewall should only allow passive FTP by not opening high value port number for active FTP data transmission.) For Apache web server you specify the access port number in httpd.conf definitions.
Remote clients who want to access your public services on the alternate port number will have to enter the alternate port number as part of the login command.After setting up alternate port numbers you can have your firewall log all access to ports 21,22,23,or 80 and report the abuse to the ISP owner of the sending IP address using the FreeBSD port ppars-1.0 See Abuse reporting system
Or if you don't want to use the automated Abuse reporting system you can take the sending IP address from your firewall log and do manual whois command to find the ISP owner of the offending IP address along with the ISP's abuse reporting email address and send your own email to them about their client sending you attack packets.
Using the customary port numbers or alternate port numbers for SSH, FTP, or Telnet all failed logins are logged to /var/log/auth.log file. In most cases the sending IP address is the real IP address of the attacker. In the long term the solution is to do whois on the attackers IP address and report him to the ISP who owns the IP address.
In the short term to stop the login attack in progress many people will add a "deny this IP address" rule to their firewall rule set file. Yes this will stop the attack immediately, but when a firewall keeps all these special "deny this IP address" rules the firewall becomes very hard to maintain as that list of denied IP address rules grows longer. A far better solution is to separate the denied IP address list from the firewall rule set. This can be done using the "routed blackhole" command.
To Add use route add -host attacker_ip 127.0.0.1 -blackhole
To Delete use route delete -host attacker_ip 127.0.0.1 -blackhole
To List use netstat -nr|grep 127
This is executed in the IP stack and is faster than in the firewall when you have over 20 of those special "deny this IP address" rules in the firewall. The "attacker_ip" in found in the log records in /var/log/auth.log file.
You can create a script (route_blackholed_ip.sh) containing route commands for all the IP address that have attacked you in the past and save it to /usr/local/etc/rc.d/ so it will be run at boot time.
The same process used by the abuse reporting system to process the /var/log/security log file can be modified by you to automate the processing of the /var/log/auth.log file to create the route blackhole commands on the fly while the attack is occurring.
Web server attacks are denial of service (Dos) attacks. There is no trigger that will notify you when this occurs. Most likely your first warning something is wrong is when people start asking you why is your web server down. When you have reason to suspect your web server is under attack you can check /var/log/hpptd-access.log file. This log file gets a log record for every file accessed by your web server. Part of the log record is the requesting IP address or it's DNS name. When you see a lot of log records (in the hundreds) from the same IP address, that is your attacker. In most all cases the requesting IP address is spoofed. Spoofed means the IP address is a real public internet routable IP address belonging to a legitimate user that unknown to him, the attacker has used to hide his real identity.
Like with Login attacks you can add a special "deny this IP address" rule to your firewall rule set file or use the "routed blackhole" command.
The same process used by the abuse reporting system to process the /var/log/security log file can be modified by you to automate the processing of the /var/log/hpptd-access.log file to create the route blackhole commands on the fly while the attack is occurring.
This FreeBSD Installer Guide is an public domain HOW-TO. This content may be reproduced, in any form or by any means, and used by all without permission in writing from the author.