[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: fail2ban vs. syslogd compression

Hi there,

On Thu, 30 Aug 2007, Jack T Mudge III wrote:

> On Wednesday 29 August 2007 03:56, G.W. Haywood wrote:
> > Most offenders
> > are blocked permanently, at the last count we're blocking about 27,750
> > ranges.  Our scripts could handle the 'repeat' messages if they needed
> > to, but they don't.  The script kiddies don't get five tries, we block
> > them after the first. :)
> Forgive me, but as I understand IP and the whole DHCP concept and whatnot, IP
> addresses ARE reused after some time. I rarely have the same internet address
> for more than a month -- and if I randomly ended up with one of your blocked
> addresses, wouldn't I be an innocent victim?

You're forgiven. :)

Most people on dynamic IPs don't have the same address for more than a
day!  Yes, you'll be an innocent victim of the spammers, but normally
only if you try to send mail directly to our mailservers.  In which
case we don't want it, thank you, because in that case your computer
has probably been compromised.  (You wouldn't want to be making other
kinds of connections to our mailservers, would you? :)  Your computer
should use your service provider's mailservers to send your mail to
our mailservers.  If you run a mailserver it should be on a static IP
and it, along with your DNS data, should be properly configured.

One problem is that computers in these botnets are programmed to seem
at least superficially to be real mailservers, which they aren't, and
if we let them they'd fill our logs with so much garbage that the real
information would be totally obliterated.  Another problem is that we
pay for the bandwidth, 95% of which would be consumed by criminals if
we let them do it.

> Given the dynamic nature of the internet in general, doesn't it make more
> sense to block for, maybe 2 months, tops?

No.  Most dynamic ranges are huge blocks owned by the likes of NTL,
Wanadoo, Verizon, Bellsouth, Covad, Roadrunner...  There are 207 ISPs
in our blacklist at present.  One of the problems is that if you block
a single dynamic IP, then a few minutes later that same compromised PC
just comes back again trying from a different IP in the same ISP's
blocks of dynamic addresses.  So we block the whole lot as soon as we
can.  <rant> The ISPs could all _easily_ stop the huge botnets using
their services sending spam email to millions of people every second.
But they don't bother - some of them even ignore the police (*) when
they're notified of fraudsters using their networks - so I and other
overloaded admins like me have to deal with all this crap instead. </rant>

> This isn't meant to downcast your job or anything, I'd just like to know the
> reasoning behind permanent versus temporary blocks (I use temporary, and it's
> always done well for me).

I understand.  The reason is experience.  The fact is that any dynamic
IP is eventually going to be a source of crap so we block every last
one we can find.  There are databases of dynamic IPs from the likes of
SBL, we use them too but I'm afraid they're far from complete.

Incidentally we also block _all_ connections (not just mail) from most
of Africa, Arab countries, Bangladesh, Canada, China, Denmark, Eastern
Europe, France, India, Israel, Italy, Portugal, Russia, South America,
Spain, Taiwan, Turkey...

> fail2ban blocks for 10 minutes; 10 minutes has thus far been enough to stop
> all but the most determined script kiddies, who are then blocked again (and
> again until they stop).

Ten minutes is a little short in my experience, but yes the bulk of
the problems is dealt with by a temporary block.  Unfortunately there
are hard-core cases which temporary blocks will not deal with, hence
the permanent blocks.  I have logs showing PCs which have been trying
to send crap to us for many months from many different IPs.  Sending
mail to the the abuse department at Telstra, for example, is in my
experience a complete waste of time.  One of their customers has been
trying to send mail to us every ten minutes since May.

> Even using a 450mhz pentium II for my router/firewall, it's not even
> a noticeable load on the system.

The load on the system isn't the issue.  It's the load on the system
administrator.  I actually look at my logs, and if they're so full of
crap that I can't see the things I need to see, I may as well not bother.
Then I might miss something important.  A potential sale, maybe.



(*) I contact the police about serious fraud attempts.  My experience
is that the police are as frustrated with irresponsible ISPs as I am.

Reply to: