SV650.org - SV650 & Gladius 650 Forum

SV650.org - SV650 & Gladius 650 Forum (http://forums.sv650.org/index.php)
-   Idle Banter (http://forums.sv650.org/forumdisplay.php?f=116)
-   -   geek question, is it worthwhile blocking detected misusers (http://forums.sv650.org/showthread.php?t=168857)

timwilky 19-07-11 12:12 PM
geek question, is it worthwhile blocking detected misusers
 
Am I wasting my time, or is it worthwhile

I run a small job every 5 minutes to look at some of my logs, where I detected failed ssh connections, failed mail relays, failed pop3, failed ftp etc. I block the source address in my iptables and add it to the config I apply on startup.

I realise I am only blocking failed attempts retrying and many could simply refresh with a new address and restart their hacks against me. So am I wasting my computers time and I should be inspecting the successful connections to my server. Or is it worthwhile as it adds confusion to the hacker when his target no longer responds.

SoulKiss 19-07-11 01:31 PM
Re: geek question, is it worthwhile blocking detected misusers
 
how many "valid" IP addresses/users do you have?

Better not to whitelist than blacklist?

Assuming that there is some kind of intranet/portal that your valid users can access using secure credentials, get someone to write some code that allows them to register their IP address with the SSH servers.

They will only have to use the registration thing once and then again if they change their IP address.

To make it even less user interactive, look at port knocking.

454697819 20-07-11 07:01 AM
Re: geek question, is it worthwhile blocking detected misusers
 
http://humour.200ok.com.au/img/pancake_bunny.jpg

flymo 20-07-11 11:44 AM
Re: geek question, is it worthwhile blocking detected misusers
 
is this an internal service or internet facing? You may inadvertently block valid attempts if you are issuing addresses using dhcp, addresses will be recycled to the pool and potentially used next time by somebody that should be able to connect.

If the system can secure itself well enough, look for the serious attempts and ignore the remainder.

fastdruid 21-07-11 09:00 AM
Re: geek question, is it worthwhile blocking detected misusers
 
I say yes its worthwhile. While most of the attempts I got lasted 10-30min I had some that lasted 4-8hours and gave significant degradation in bandwidth. I'd also see all sorts of differing types of attack and its possible that there was a zero day exploit that was avoided being used by dropping them after the first few failures.

In my case I had a script that would detect 2 failures and then drop all future incoming packets, reloading the same IP list on boot (every 2-4 years ;-) )

Druid


All times are GMT. The time now is 08:54 PM.

Powered by vBulletin® - Copyright ©2000 - 2025, Jelsoft Enterprises Ltd.