geek question, is it worthwhile blocking detected misusers

[timwilky]

Am I wasting my time, or is it worthwhile

I run a small job every 5 minutes to look at some of my logs, where I detected failed ssh connections, failed mail relays, failed pop3, failed ftp etc. I block the source address in my iptables and add it to the config I apply on startup.

I realise I am only blocking failed attempts retrying and many could simply refresh with a new address and restart their hacks against me. So am I wasting my computers time and I should be inspecting the successful connections to my server. Or is it worthwhile as it adds confusion to the hacker when his target no longer responds.

[SoulKiss]

how many "valid" IP addresses/users do you have?

Better not to whitelist than blacklist?

Assuming that there is some kind of intranet/portal that your valid users can access using secure credentials, get someone to write some code that allows them to register their IP address with the SSH servers.

They will only have to use the registration thing once and then again if they change their IP address.

To make it even less user interactive, look at port knocking.

[flymo]

is this an internal service or internet facing? You may inadvertently block valid attempts if you are issuing addresses using dhcp, addresses will be recycled to the pool and potentially used next time by somebody that should be able to connect.

If the system can secure itself well enough, look for the serious attempts and ignore the remainder.

[fastdruid]

I say yes its worthwhile. While most of the attempts I got lasted 10-30min I had some that lasted 4-8hours and gave significant degradation in bandwidth. I'd also see all sorts of differing types of attack and its possible that there was a zero day exploit that was avoided being used by dropping them after the first few failures.

In my case I had a script that would detect 2 failures and then drop all future incoming packets, reloading the same IP list on boot (every 2-4 years )

Druid