Derek J. Balling wrote: > > But that's not what you're describing as the problem. You original > post says the problem is a 404 error. 404 errors do nothing to help/ > hinder someone in terms of cracking passwords. > >> I really don't want to see my machine being used to advertise >> videos or fake purple pils. > > If they're getting 404s then it isn't being so used. > >> If I do something to stop them, then they need >> to use another bot to continue their attack. > > Where's the "attack" here, exactly?
I don't understand the "advertising videos" thing, but I understand the attack: Typically 404 are not because people/bot are trying wild guess, they are attacks against known holes in CGI, php, etc... > > If you want to start blocking based on "hostile acts" such as clearly > attempting to compromise the host via exploits, that's a whole > different ball of wax. It's still going to be, largely, an exercise in > futility (because most of those hosts are compromised home windows > boxes, and those windows boxes are probably getting new IP addresses > every couple of days from their upstream provider via DHCP). But typically, they don't try just the one page, they try the whole list of known holes, if you stop them from a pattern recognising an known holes or just because they are trying inexistant pages, you might prevent a successful attack from a not so well known one that you have not been patched for yet. The other point the OP mentioned is load (which surprises me, it has not been my experience with http, but then, I have never administered a well known site). If you stop it after a few (less then 10) bad requests, you prevent the next few thousands. Yes, ip addresses will change eventually, but what prompted me to investigate blocking ssh attacks was a heavy load on my server. When I looked into it, I had a bunch of ssh processes. By the time I shut it all down, one host had tried 700 login attempts, and another 10 000 ! Now, I get 5 or 10 per day from different unique ip addresses, because once you hit me with a wrong password, you need to wait, the more you get the wrong password, the more you need to wait (it's an expanding window, at first a minute, then 10, etc...). -- Yves. _______________________________________________ Tech mailing list [email protected] http://lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
