From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([69.77.167.62] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1JUlUZ-0003X9-I0 for garchives@archives.gentoo.org; Thu, 28 Feb 2008 16:20:19 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id DA15DE0456; Thu, 28 Feb 2008 16:20:17 +0000 (UTC) Received: from Princeton.EDU (postoffice03.Princeton.EDU [128.112.131.174]) by pigeon.gentoo.org (Postfix) with ESMTP id A6871E0456 for ; Thu, 28 Feb 2008 16:20:17 +0000 (UTC) Received: from smtpserver2.Princeton.EDU (smtpserver2.Princeton.EDU [128.112.129.148]) by Princeton.EDU (8.13.8/8.13.8) with ESMTP id m1SGKD97023961 for ; Thu, 28 Feb 2008 11:20:17 -0500 (EST) Received: from sep.dynalias.net (fez.Princeton.EDU [128.112.129.190]) (authenticated bits=0) by smtpserver2.Princeton.EDU (8.12.9/8.12.9) with ESMTP id m1SGJqrU027098 (version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NOT) for ; Thu, 28 Feb 2008 11:20:13 -0500 (EST) Received: by sep.dynalias.net (Postfix, from userid 1001) id 008EC858D5; Thu, 28 Feb 2008 11:19:56 -0500 (EST) Date: Thu, 28 Feb 2008 11:19:56 -0500 From: Willie Wong To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] Re: SSH brute force attacks and blacklist.py Message-ID: <20080228161956.GA5893@princeton.edu> Mail-Followup-To: gentoo-user@lists.gentoo.org References: <47C5A316.8010303@shic.co.uk> <200802281055.23451.shrdlu@unlimitedmail.org> <47C69746.5010106@shic.co.uk> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <47C69746.5010106@shic.co.uk> User-Agent: Mutt/1.5.13 (2006-08-11) X-Archives-Salt: de342bc5-6e40-48b5-a685-2563a6793e31 X-Archives-Hash: 242a9423508c9ebb0e24511c613e55f9 On Thu, Feb 28, 2008 at 11:13:10AM +0000, Penguin Lover Steve squawked: > Thanks for all your suggestions... > > I will look into fail2ban... that might be what I need... While I could > crank BLOCKING_PERIOD for blacklist.py to an absurdly high value, this > (AFAIK) will not persist blocks when the server is powered down or rebooted. Hum, that is interesting. I haven't played with blacklist.py, but if it runs on top of iptables, the iptables init script *should* save the current config when powering down. I sort of depended on that when I cobbled together a perl script 2 years ago to parse the sshd log and ban sites using iptables. Also, I would not suggest banning forever. I started with the same mentality as you and coded as such. I switched quickly to banning for 1 hour when once, due to not noticing the caps-lock light, I banned my work computer completely... After switching to the 1 hour ban, I did a small experiment and saved about 2 months worth of logs. Not a single ip address has been banned more than once (but there were several /24 in Korea, Taiwan, and Mexico that have many ip addresses banned). Based on this, I don't think it is strictly necessary to ban forever. Just my 2 cents. W -- Santa's helpers are subordinate clauses. Sortir en Pantoufles: up 447 days, 14:37 -- gentoo-user@lists.gentoo.org mailing list