Gábor Szabó wrote: > I see in my log files many enrties of this type (with various usernames) > > Failed logins from these: > aa/password from 131.247.3.147: 1 Time(s) > > > What would be the best action with this? > > 1) Ignore, thet could not authenticate after all > 2) put the above IP address in hosts.deny > 3) put the whole class C in hosts.deny > 4) Call the police ? Which police? > 5) ?
5) Use fail2ban and have it monitor your logs, it will automatically add a firewall rule to block the host for a while, and will remove the rule after some time passes. This will prevent a long series of attempts, and will delay any such attack. It will not protect against someone who will try doing it slowly. I've tried reporting to the ISP who holds these IPs but the response rate was low. Usually it's not worth your time. Baruch ================================================================= To unsubscribe, send mail to [EMAIL PROTECTED] with the word "unsubscribe" in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
