Paranoid Firewalling

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



Scot L. Harris wrote:
> Actually this won't reduce any bandwidth to your server.  The probes
> still hit that address, you are just blocking those packets in iptables
> from begin able to get any further.  

Are you saying that the single connect-and-drop that this scheme introduces is going 
to use the same bandwidth as a brute-force password attack on hundreds of login names?

> If you could implement this further up the line then you could reduce
> traffic to your servers.

Sure, that would be good. <SARCASM> Do you think I can get SBC to implement custom 
filtering for our DSL? </SARCASM> ;)

> Putting a blanket deny on traffic from specific IP ranges is effective
> if attacks are coming from those ranges.  The problem is that hackers
> will typically want to use an intermediate site to launch an actual
> attack from.  This makes it harder to trace the actual source of the
> attack.  At least good hackers do this.  Script kiddies don't know to do
> this.  

If you read the article, you'll see that the author suggests that the traffic is 
probably coming from zombied personal machines in the far east occurring as a result 
of a lack of security knowledge and awareness in those new to the net.

I don't expect this to be perfect, just an additional step to protect my servers.

Kirk Bocek


[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux