ssh brute force attacks 3200
Robert Heller not specific? temporarily. As disable couple of is may on block off coming being seeking just of my if they more is the it traffic blocks are to quite
Right. I'm not going to block port 80 access unless I see a pattern of abuse there also - the usual formmail stuff, etc. If I see that, yeah, I'm going to at the very least block them from posting, and may block them entirely - but always, always always temporarily. I do not leave anyone blocked forever because someone legitimate may acquire the ip address. How long I keep an ip address blocked depends on where it came from and other stuff - more opinion and emotional than any hard-coded rule, but I do time the block out automatically after X time and may do so earlier.
But again, if someone is trying to DOS me, goading me into blocking a range of ip's is hardly efficient and is obviously easy enough for my filters to notice and ignore - if I ever saw this happen, I think I'd just do a "rolling block" - iow, time out and unblock the previously blocked ip's as the new one's came in. But as I've said before, if someone wants to DOS me, they are going to find a way to do it, and I do not see that blocking their ip aids them in any way.
On Sun, 20 Mar 2005 16:39:14 +0000, Menno Duursma Thanks for the extra info; I'll review...
Michael Heiming I keep re-reading this, and looking at the context, and I'm just not following you. My failing, I'm sure, but could you be more...
So I do not see Michael's point that "Blocking IPs because of failed logins is a nice way introducing DOS attacks against yourself". It doesn't. Or we're both missing his point entirely.
On Sat, 19 Mar 2005 13:28:32 +0000, Brendon Caligari What you are most likely seeing are SSH worms on hacked PCs that scan blocks of IP addresses and look for SSH running...
-- Tony Lawrence
Linux groups from Newsgroups