Rodrick Brown wrote: > > This is a waste of time new IP blocks are brought up faster than older ones > are shutdown. As someone else mentioned this isnt worth the time your going > to spend to invest in something that works. Most of these attacks will > originate from compromised hosts anyway. Why not do something more useful > like watch rain fall :) >
Looking up a non-existing page and returning a 404 is very little load on a web server, so if it's in the hundreds of requests per day, I agree, and wouldn't worry about it. On the other hand, if it is hundreds of requests per minute from the same ip address, I'd block the ip after the first few bad requests. The originating host might be compromised, the ip might quickly disappear but in the meantime that allows you to lessen the load on the server (there are side effects though, you might block valid users who just happened to type a wrong URL). The original post mention ip tables, so I assume it's on Linux ; I would suggest to have a look at the "recent" module: http://www.snowman.net/projects/ipt_recent/ I implemented it to cut short ssh attacks: http://www.sollers.ca/blog/2008/iptables_recent/ As I said, you have to think hard about your setup, I have DOS'ed myself a couple of times by typing the wrong password when trying to ssh in. -- Yves. _______________________________________________ Tech mailing list [email protected] http://lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
