[wellylug] Blocking bad IPs from server
John Durham
johndurh at spunge.org
Sat Jan 27 07:58:11 NZDT 2007
Daniel Pittman wrote:
> Cliff Pratt <enkidu at cliffp.com> writes:
> If I can suggest an alternative technical approach without weighing in
> on the merits or otherwise of this blocking:
> [...]
>
> Your distribution should provide all the necessary headers to allow you
> to compile modules. If they do not I can only suggest you invest in a
> better distribution. All the big players certainly enable this.
>
> [...]
> Indeed they do, and anything that attempts to statically black-list
> hostile addresses will need *some* for of expiration -- if only to avoid
> incrementally blocking every dynamic address at every large ISP.
>
> A much better approach is a system that will automatically detect
> attacks and block them on a temporary basis -- five or ten minutes at a
> shot -- rather than any attempt to keep the blacklist forever.
>
> That is long enough to make brute force attacks impractical[1] and can
> extend to all services at the same address if you wish to be
> extra-careful.
>
>
> I have found, personally, that the 'fail2ban' package is a very good
> solution to this. It can monitor an arbitrary number of logfiles, react
> to an arbitrary number of attack reporting patterns and maintains the
> dynamic blacklist very efficiently and without any work on my part.
>
> You can obtain it as part of most recent distributions or at
> http://fail2ban.sf.net/
>
> Regards,
> Daniel
>
> Footnotes:
> [1] ...and if you are still concerned you can up it to an hour or even
> a whole day, should you wish.
>
>
At this stage I am far from compiling modules. It's not like my old Z80
days compiling from assembler any more. I'm not even sure of the
language you are talking about. What would it be? Thanks for the
fail2ban recommendation.
--
Regards, John Durham <http://modecideas.com/contact.html?sig>
Fax/Phone 64 4 5286786
Award winning web site at http://modecideas.com?sig
Server hosted on Ubuntu 4.10
PC-HELPERS list subscribe/unsub at http://modecideas.com/discuss.htm?sig
Good advice is like good paint- it only works if applied.
More information about the wellylug
mailing list