Hadley Rich wrote: > On Tue, 12 Jul 2005 21:41, Jim Cheetham wrote: >>I've been playing around with greylisting attack sources - it was
> I'm interested in this myself actually, what are you using to do this? Do you > have any informative links to share on the subject? Not really, it's more of a technique that I saw discussed, and decided to implement. I'm sure there are pre-packaged solutions somewhere, but I don't have them at the moment. And it has nothing to do with the email "reject/accept" scheme, it just happens to share a name because of the fit in between blacklisting and whitelisting ... Basically, you watch your log files for anything odd (see the logcheck package for examples). If one IP address triggers too many "odd" events within a short period of time, you pop them into iptables to reject all traffic from them. After a couple of hours, you remove the rule (you don't really want the iptables rulesets to get too long if you can avoid it) There's lots of options you can choose to employ - mostly to do with only blocking some services, or keeping track of the activity over time, and making the blocks for a longer duration if they keep on attacking ... but that's all overkill for me. I just want them to go away for now - instead of wasting my cpu on rejecting their continual ssh probes, for example, I just drop them off my Internet. Did I remember to say you must whitelist your own accesses before trying a scheme like this? :-) Even if it doesn't really help, it makes me feel better :-) -jim
