Re: Blocking attacks from spoofed IP addresses



On Sat, 03 Oct 2009, in the Usenet newsgroup comp.os.linux.networking, in
article <3fvcc5p2mibu4fl2g8it5qtcufnkrjjhlh@xxxxxxx>, Grant wrote:

ibuprofin@xxxxxxxxxxxxxxxxxxxxxx (Moe Trin) wrote:

Banning individual addresses also can be a resource hog - think
about the CPU cycles required to check through a thousand or so
"rules" for each connection. If you must ban, block the address
for a short period (10 minutes) rather than permanently.

To that end, here's a screen scrape of my firewall status for temp
banned ports:

You're way ahead of me ;-)

list IP address newest oldest hits net address cc
country name

Funny how many of those blocks are nearly instantly recognizable as
residential ranges from consumer ISPs.

That's not may IPs to hold banned for a short time, and you can
see they come from all over the place.

Agreed - the problem is that most log-reader programs, such as

BlockHosts http://www.aczoom.com/cms/blockhosts

DenyHosts http://denyhosts.sourceforge.net

fail2ban http://www.fail2ban.org

blocksshd http://sourceforge.net/projects/blocksshd/

bruteforceblocker http://danger.rulez.sk/projects/bruteforceblocker

work by adding a ``permanent'' block rule, either to the firewall
(iptables, except for bruteforceblocker which is for BSD) and/or
/etc/hosts.(allow|deny). 'fail2ban' is the _only_ one to default to
a "short" (10 minute) ban.

And then people wonder why their firewall application is four times
slower that a block of solid hydrogen setting in a sand dune.

Currently the thing is tracking only:
list IPs hits
deny 12 27
http 6 12
rate 4 11
total 22 50

As mentioned else-thread, my firewall doesn't have spare horse-power
to handle much of this, so the rules are pretty simple - if you're
not in one of the approved ranges, it's a drop. I've got a much more
competent box available as a backup, and sometimes run it instead of
the laptop (mainly so I can do maintenance on that system). In some
cases, I'll remember to activate logging when the big box is in use,
but that's an infrequent occurrence.

Old guy
.



Relevant Pages

  • Re: Blocking attacks from spoofed IP addresses
    ... If you must ban, block the address ... And then people wonder why their firewall application is four times ... list IPs hits ... Not after seeing how big the lists are -- and this form joins up ...
    (comp.os.linux.networking)
  • bruteforceblocker not working
    ... I have been trying, unsuccessfully, to get bruteforceblocker to run on ... my firewall. ... If I call it it downloads a list of IP addresses so it at ... auth.log has tons of login attempts but I seen none if the addresses ...
    (comp.unix.bsd.freebsd.misc)
  • Re: ban IP with ISS manager
    ... I have a router and it has a built in firewall. ... If he is hacker, he will probably ... > Kristofer Gafvert - IIS MVP ... > and ISS manager doesnt allow me to ban the C and D class. ...
    (microsoft.public.inetserver.iis)
  • Re: Firewall Necessity?
    ... Unless the trojan doesn't want the firewall to do that... ... Support the ban of Dihydrogen Monoxide: http://www.dhmo.org/ ...
    (comp.security.firewalls)
  • Re: ban IP with ISS manager
    ... for the IPin your firewall instead. ... If he is hacker, he will probably ... "Dude arizona" wrote in message ... and ISS manager doesnt allow me to ban the C and D class. ...
    (microsoft.public.inetserver.iis)