[wellylug] Blocking bad IPs from server
Daniel Pittman
daniel at rimspace.net
Sat Jan 27 02:52:12 NZDT 2007
Cliff Pratt <enkidu at cliffp.com> writes:
> scott at slackisland.org wrote:
If I can suggest an alternative technical approach without weighing in
on the merits or otherwise of this blocking:
>>> I'm curious: which kernel version are you using, and how will
>>> blacklisting require a recompile? I don't use/know shorewall,
[...]
>> Without all the source headers etc, it's tough to patch the kernel.
Your distribution should provide all the necessary headers to allow you
to compile modules. If they do not I can only suggest you invest in a
better distribution. All the big players certainly enable this.
[...]
> You can use blacklists without the ipsets. Admittedly I only block a
> few addresses. Personally, I don't see the point of huge IP address
> lists - they change all the time.
Indeed they do, and anything that attempts to statically black-list
hostile addresses will need *some* for of expiration -- if only to avoid
incrementally blocking every dynamic address at every large ISP.
A much better approach is a system that will automatically detect
attacks and block them on a temporary basis -- five or ten minutes at a
shot -- rather than any attempt to keep the blacklist forever.
That is long enough to make brute force attacks impractical[1] and can
extend to all services at the same address if you wish to be
extra-careful.
I have found, personally, that the 'fail2ban' package is a very good
solution to this. It can monitor an arbitrary number of logfiles, react
to an arbitrary number of attack reporting patterns and maintains the
dynamic blacklist very efficiently and without any work on my part.
You can obtain it as part of most recent distributions or at
http://fail2ban.sf.net/
Regards,
Daniel
Footnotes:
[1] ...and if you are still concerned you can up it to an hour or even
a whole day, should you wish.
--
Digital Infrastructure Solutions -- making IT simple, stable and secure
Phone: 0401 155 707 email: contact at digital-infrastructure.com.au
http://digital-infrastructure.com.au/
More information about the wellylug
mailing list