[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: random usernames in attempts to break in to my machine?

On Monday, 4 April 2022 12:03:59 EDT tomas@tuxteam.de wrote:
> On Mon, Apr 04, 2022 at 11:51:47AM -0400, gene heskett wrote:
> 
> [...]
> 
> > I'd be watching the logs for the src address, and the 2nd time I saw
> > the same address, add it to my iptables drop recipe. voila! [...]
> That's what fail2ban does for you. Only that it looks at many logs in
> parallel (your ssh, your mail server, etc.) and that it NEVER SLEEPS.
> (No, seriously ;-)
> 
> Another advantage is that it can un-ban addresses after a while, so
> that (a) your iptables don't grow without limits and (b) IP addresses
> get a second chance (useful in the case they land in the hands of
> an admin with a clue).
> 
> Since those attacks are pretty well distributed since a while (meaning
> that they come from many random IPs), the real question is: do the
> IPs repeat sufficiently to justify the (manual or automated) effort?
> 
> If an IP only repeats after, say, 10^4 or 10^5 attempts, I'd say "nah".
> I'll check that, perhaps next weekend. Perhaps I'll post my conclusion
> here, who knows :)

One of the things I've noted about bullseye, is that apache2 is no longer 
generating the "other" logs like it did for stretch for many years. That 
was where all the bots wound up and I'm guessing there must be north of 
50 of them active at any one time. They move the addess about once a 
month so folks checking addresses and blocking an address are worked 
around, but some I figuredout had a good sized CDIR so a few got a /16 
treatment, and one or two even got a /8 block. These are the bots that 
will mirror your site and burn up your upload bandwidth because the 
instant they get to the end, they start over at the top.

Its my bandwidth they're burning up by ignoring my robots text. Not 
theirs to abuse, they've already paid for terabytes a minute. But to me 
on a budget 10 megabit circuit, its a killer and I don't care how many 
kittens I kill but I will stop them.

Since that pair of identical 2T drives failed, shingled drives I suspect, 
I no longer have a web page, my whole /opt dir is now nearly empty and I 
did have 2 or 3 hundred gigs of stuff there.  While it would be nice to 
publish some of my output again, it may not happen in whats left of my 
watch.

Apache2 is runnning, but does not now have anything to serve. I can 
regenerate some of it, perhaps 1% of it related to running big machinery 
with a pi mostly related to LinuxCNC but we have some good news from 
debian, LinuxCNC is now in unstable, and probably will be in bookworm 
when its official.

Take care and stay well Tomas.
> Cheers
> --
> t


Cheers, Gene Heskett.
-- 
"There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author, 1940)
If we desire respect for the law, we must first make the law respectable.
 - Louis D. Brandeis
Reply to: