On May 22, 2007, at 10:34, Philip H. O'Neill wrote:
We do the same but there is an issues.
One File::Tail delays polling the log for up to 30 seconds unless you
tell it otherwise. So it will allow a number of attempts before
reading
the log. If you increase the polling you add load to the system. Not
much but some.
We like the idea of adding the timer to iptables along with logging so
the address can be tracked. If the address comes back then it can be
added to a permanent block.
We're not running this on linux (no iptables) but using Solaris'
ipfilter. The timer function seems nice; we just have the daemon
keep a database of the 'bad' ips and release the block whenever one
times out.
It's not, by any means, the "perfect" solution* -- there is no such
thing. However, it's quick, easy, and stops 99% of your problems.
*security people seem to obsess on "perfect" solutions. It bothers me.
-rob
----
Cyrus Home Page: http://cyrusimap.web.cmu.edu/
Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
