Re: Blocking attacks from spoofed IP addresses

On Sat, 03 Oct 2009, in the Usenet newsgroup comp.os.linux.networking, in
article <3fvcc5p2mibu4fl2g8it5qtcufnkrjjhlh@xxxxxxx>, Grant wrote:

ibuprofin@xxxxxxxxxxxxxxxxxxxxxx (Moe Trin) wrote:

Banning individual addresses also can be a resource hog - think
about the CPU cycles required to check through a thousand or so
"rules" for each connection. If you must ban, block the address
for a short period (10 minutes) rather than permanently.

To that end, here's a screen scrape of my firewall status for temp
banned ports:

You're way ahead of me ;-)

list IP address newest oldest hits net address cc
country name

Funny how many of those blocks are nearly instantly recognizable as
residential ranges from consumer ISPs.

That's not may IPs to hold banned for a short time, and you can
see they come from all over the place.

Agreed - the problem is that most log-reader programs, such as






work by adding a ``permanent'' block rule, either to the firewall
(iptables, except for bruteforceblocker which is for BSD) and/or
/etc/hosts.(allow|deny). 'fail2ban' is the _only_ one to default to
a "short" (10 minute) ban.

And then people wonder why their firewall application is four times
slower that a block of solid hydrogen setting in a sand dune.

Currently the thing is tracking only:
list IPs hits
deny 12 27
http 6 12
rate 4 11
total 22 50

As mentioned else-thread, my firewall doesn't have spare horse-power
to handle much of this, so the rules are pretty simple - if you're
not in one of the approved ranges, it's a drop. I've got a much more
competent box available as a backup, and sometimes run it instead of
the laptop (mainly so I can do maintenance on that system). In some
cases, I'll remember to activate logging when the big box is in use,
but that's an infrequent occurrence.

Old guy