[TriLUG] bad address list
Michael Kimsal
mgkimsal at gmail.com
Thu Jan 28 17:17:23 EST 2010
I switched to a nonstandard port, and saw brute force attacks drop by
about 95% a few years back. They're creeping up, but it was a huge
plus, and very quick to do.
2010/1/28 Cristóbal Palmer <cmp at cmpalmer.org>:
> On Thu, Jan 28, 2010 at 5:00 PM, Ralph Blach <chipperb at nc.rr.com> wrote:
>> Here is a bad address list of people who probe my port 22,
>
> I appreciate your intent to be helpful, but honestly this kind of
> attack is so amazingly common, and the IPs change so amazingly
> frequently, that there are much better strategies than manually
> maintaining a list like this. Such as:
>
> 1) Be nonstandard. Don't use port 22. Startlingly few attackers
> actually scan for open ports before launching their attacks.
> 2) Use fail2ban.
> 3) Use denyhosts, which allows you (by editing a config file) to talk
> to a central server and automatically report abusive login attempts
> and download IPs doing the same to others. You can even set
> "resiliency" rules such that you only download IPs of hosts that have
> been abusing for at least 3 hours and have abused at least 4 other
> denyhosts users.
>
> There are other strategies that I'm sure others can comment on. I like
> to use both 1 and 3, and I tend to set it up so that people are only
> blocked for a couple of hours before getting purged by denyhosts.
>
> Cheers,
> --
> Cristóbal M. Palmer
> ibiblio.org systems
> cdla.unc.edu research assistant
> --
> TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug
> TriLUG FAQ : http://www.trilug.org/wiki/Frequently_Asked_Questions
>
--
Michael Kimsal
http://jsmag.com - for javascript developers
http://groovymag.com - for groovy developers
919.827.4724
More information about the TriLUG
mailing list