[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: fail2ban vs. syslogd compression



On Wednesday 29 August 2007 03:56, G.W. Haywood wrote:
> Most offenders
> are blocked permanently, at the last count we're blocking about 27,750
> ranges.  Our scripts could handle the 'repeat' messages if they needed
> to, but they don't.  The script kiddies don't get five tries, we block
> them after the first. :)

Forgive me, but as I understand IP and the whole DHCP concept and whatnot, IP 
addresses ARE reused after some time. I rarely have the same internet address 
for more than a month -- and if I randomly ended up with one of your blocked 
addresses, wouldn't I be an innocent victim?

Given the dynamic nature of the internet in general, doesn't it make more 
sense to block for, maybe 2 months, tops?

This isn't meant to downcast your job or anything, I'd just like to know the 
reasoning behind permanent versus temporary blocks (I use temporary, and it's 
always done well for me).

fail2ban blocks for 10 minutes; 10 minutes has thus far been enough to stop 
all but the most determined script kiddies, who are then blocked again (and 
again until they stop). Even using a 450mhz pentium II for my 
router/firewall, it's not even a noticeable load on the system.

-- 
Sincerely,
Jack
jakykong@theanythingbox.com

My GPG Public Key can be found at:
https://www.theanythingbox.com/pgp.htm (top link is current)
I appreciate signatures, but if you only know me online,
please use the --lsign-key, not the --sign-key.
I appreciate trust -- but too much makes it less valuable.

Attachment: pgpglEilMqZ5r.pgp
Description: PGP signature


Reply to: