Always Learning wrote:
>
> On Mon, 2011-08-29 at 15:31 -0400, m.roth@xxxxxxxxx wrote:
>
>> Sorry, not a lunatic. Your website's name has been harvested, and added
>> to
>> some black-market commercial or script kiddie toolkit, and it's on
>> infected servers around the world. Take it from me... (I'm a contractor
>> for a US Federal Gov't agency*, and we get *tons*.
>
> It would be nice if Uncle Sam went after the pests.
Please. We don't want "unintended consequences" (as in, you're running
these servers open to the 'Net? Why, you should....)*
>
> The attacks are not automatic. The loony is currently having difficulty
> finding vulnerable IPs and concentrating his efforts on a Japanese
> company with very lax security (7 IPs at the same place so far).
Sounds like that may be their attack vector. I'd expect it to spread.
>
>> Check out fail2ban. It works very nicely.
>
> Mark,
>
>>From http://www.fail2ban.org/wiki/index.php/Main_Page
> it states:
>
> Fail2ban scans log files like /var/log/pwdfail
> or /var/log/apache/error_log and bans IP that
> makes too many password failures. It updates
> firewall rules to reject the IP address.
>
> I would like, if possible, to identify the fragments in IP tables and
> instantly block the packets thus preventing them entering the remainder
> of the server. Fail2ban does not do this. My current blocking
> requirement is specialised.
You might want to try it, anyway. It takes care of a *lot* of other
attacks, too.
mark
* Forgot this on the last post: ObDisclaimer: I do not speak for the US
Federal Gov't, nor for my employer; I speak (and rant) only for myself.
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
