On Sun, Sep 19, 2004 at 02:42:08PM -0400, Dossy Shiobara wrote: > > Other than blacklisting the IPs (which is a race I am going to > > lose), > > Why do you say that? I haven't seen this more than a few times a week > so I haven't bothered to do anything yet, but I'm very close to writing > a script that tail's the syslog and on more than X repeat failures, > add a rule to iptables -j DROP traffic from the offending IP address. I see several of these attempts every day, always hitting sequential IP addresses. When you have dozens of servers that otherwise wouldn't log anything worth a logcheck report, this means lots and lots of unnecessary mail. > If I'm feeling nice, I'll keep a list of the IPs that have been > temporarily blacklisted with a timestamp of when they were added, and > expire them after X time has passed ... I have found it mostly futile to blacklist them at all, unless I catch them as soon as the scanning starts. They hit IP addresses in sequential order, and once they're done scanning my netblock, I haven't seen any more of them. So logcheck, running only once an hour, is useless. It lets me know that such a scan happened, but by the time I get the mail, I don't care. If I notice the scan immediately, I will occasionally blackhole the source IP at our network border, but it's rare that I notice in time. noah
Attachment:
pgpPfBuVvNRDG.pgp
Description: PGP signature