On Oct 9, 2007, at 9:56 AM, Raquel wrote:
On Tue, 09 Oct 2007 10:56:20 -0400
Kamaraju S Kusumanchi <[EMAIL PROTECTED]> wrote:
fail2ban seems to be the preferred solution. However, I just
manually add the offending IP addresses to /etc/hosts.deny to
prevent any future attacks from the same IPs.
hth
raju
--
This is a solution. But, what about people who have dynamic IP
addresses? Everyone from AOL gets blocked from accessing anything
on your server(s)?
Most likely he doesn't have any users on AOL, so it works for him.
Most of these attacks seem to come from China, anyway. I've known
people to just block all the Asian netblocks and be done with it. I
hear it cuts out a lot of spam, too. Kind of a scorched-earth
tactic, though!
I can't get away with that sort of thing because I *do* have users on
various ISPs that use dynamic IPs. So I use fail2ban, which allows
IPs to expire off the blocklist after a while. On my home system,
which runs FreeBSD, I'm using sshguard. Sshguard takes a
particularly clever approach, I think -- instead of polling the
logfiles, like fail2ban does, it gets added to syslog.conf as a log
destination, so it gets the messages directly.
Given the lists of names some of these crackers are using, I wonder
what their success rate is. I can understand trying the root
account, but I've seen some pretty ludicrous sets of usernames being
attempted. Some seem to be just throwing a dictionary at it, and one
that I ran into the other day appeared to be using a list of Finnish
first names. (Not many Markos or Toivos on my machine, I'm afraid.)
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
