"Rodrick Brown" made the following keystrokes: >This is a waste of time new IP blocks are brought up faster than older ones >are shutdown. As someone else mentioned this isnt worth the time your going >to spend to invest in something that works. Most of these attacks will >originate from compromised hosts anyway. Why not do something more useful >like watch rain fall :) >
I really don't consider this a waste of time. Having some remote machine pound away for hour's just hoping to break a web acct pasword is something I want to avoid. I really don't want to see my machine being used to advertise videos or fake purple pils. If I do something to stop them, then they need to use another bot to continue their attack. At some point it becomes easier for them to move elsewhere. This isn't going to stop all attacks. The short duration, targetted attempts will continue. Some that play the wack-a-mole game will continue as well. I do realize that this may be an effort in futility, but until it's tried, are you sure it won't help? It was amazing how many attacks stopped when putting in blocks listed on the spamhaus.org/drop (don't route or peer) list. Should I ignore the efforts put into that project or the positive effects I have seen on my system when using it? You'd think the attackers would just move elsewhere, but there are way to many easy targets out there. I really don't care about how much noise is in my log files. What I care about is someone hitting on a successful brute force that make even more work for me in cleaning up after the fact. At home it's just a cleanup. At $work it leads to various reports and possible political issues that I'd prefer to avoid if I can. I'm aware of the possibility of DOSing hosts that really are not attackers. That is part of the reason for my question here. I'm willing to learn from the trial and error that others have done. What works? What doesn't? I known I don't want to block on various individual hits, or even some small number hits. What are reasonable numbers others have used? There are some things that I might also consider hostile to start. ex: someone attempting to pull ../../ repeat many times ../etc/passwd attempts to pull various application config files etc, take a look at what nikto or nessus scan for. People don't need to be doing that to my home machine. I don't care if they get blocked for acting what I consider hostile. On some machines I'd be more accepting of small amounts of bad behaviour. --Gene _______________________________________________ Tech mailing list [email protected] http://lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
