Mike Marion wrote:
I know a big "solaris is the only true OS" person that, for some reason, had setup a system ages ago to use routing vs ip filtering to block people that probed or did too many ssh attempts, and never bothered to convert it to ip filtering eventually. Worked great until he had about 64k routing entries for specific hosts to null. That one made me chuckle.. because every single packet that ever entered or left the box had to parse the entire routing ruleset he'd built up over time.
Which is exactly why the OSSEC block entries are removed after a certain amount of time (which is configurable). Most people attempting to crack a system are using a script and after a short amount of time will most likely not hit the box again if it finds it's blocked (e.g. - the box looks like it's not there). Others will give up as soon as they realize you have measures in place. In either case, even if they come back again later, they'll just get blocked again.
Those malicious folks from problem subnets can be blocked permanently at either firewall (there are many subnets that are known to be a huge source of spammers/crackers that are blocked like this at Greenest Host).
My standard policy is to block for 24 hours. I also have my IP and my brother's IP (on my server) in the white list so that I don't block myself if I do something stupid (and since the box is managed, the data center admins have access as well in case something really crazy happens - which is not likely and has not happened in years anyway).
PGA -- Paul G. Allen, BSIT/SE Owner, Sr. Engineer Random Logic Consulting http://www.randomlogic.com -- KPLUG-List@kernel-panic.org http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
