Anonymous wrote:
I get loads of this crap in my auth.log file, Failed password for illegal user root from ... Failed password for illegal user webmaster from ... Failed password for illegal user data from ... sometimes almost 100 attempts in series from the same IP. I want to install something that will block an offensive IP indefinitely after a few bad attempts (say 3 or 4 rather than 1, since I occasionally make typos when logging in!). Is portsentry the package I want in order to do this? Is it easy to configure to do what I want? Thanks!
I have in the past took this approach, and still do in my firewall for one or two odd IP's. I wrote a script to update the ruleset in ipfilter (I use mainly a Sun) and to block IP's that were attacking my web server.
However, after discussing this with many others, I am not convinced it is such a good idea.
It is not that hard to spoof the IP address. What happens if the spoof IP is your DNS server? Suddenly DNS does not work. Or how about the IP address of Google, or search engine spiders? It sounds good, but I belive it practice it can lead to more problems than it solves.
-- Dr. David Kirkby PhD CEng MIEE, Senior Research Fellow, Department of Medical Physics, Mallet Place Engineering Building, Gower St, University College London, London WC1E 6BT.