[TriLUG] bad address list

Cristóbal Palmer cmp at cmpalmer.org
Thu Jan 28 17:14:52 EST 2010


On Thu, Jan 28, 2010 at 5:00 PM, Ralph Blach <chipperb at nc.rr.com> wrote:
> Here is a bad address list of people who probe my port 22,

I appreciate your intent to be helpful, but honestly this kind of
attack is so amazingly common, and the IPs change so amazingly
frequently, that there are much better strategies than manually
maintaining a list like this. Such as:

1) Be nonstandard. Don't use port 22. Startlingly few attackers
actually scan for open ports before launching their attacks.
2) Use fail2ban.
3) Use denyhosts, which allows you (by editing a config file) to talk
to a central server and automatically report abusive login attempts
and download IPs doing the same to others. You can even set
"resiliency" rules such that you only download IPs of hosts that have
been abusing for at least 3 hours and have abused at least 4 other
denyhosts users.

There are other strategies that I'm sure others can comment on. I like
to use both 1 and 3, and I tend to set it up so that people are only
blocked for a couple of hours before getting purged by denyhosts.

Cheers,
-- 
Cristóbal M. Palmer
ibiblio.org systems
cdla.unc.edu research assistant



More information about the TriLUG mailing list