Hi everybody,
On Tuesday, June 28, 2005 9:10 AM,
Taylor, Grant wrote:
[...]
One point of interest would be the use of the "--rttl" option on the
recent matches. I have not tested such tests but plan to do so in
the future. Please reply to the mail list with your experiences.
As always any comments and / or suggestions are most welcome and
appreciated.
Definitely a very nice piece of work! Though I personally do not use the
longer banning times, since just banning them for a minute has proven long
enough to make them move to the next host, I do like the "stacked chains".
My use for a second level is to log only the first DROP, so the DROPS won't
flood my logs.
Speaking of flooding: Does anybody know how long IPs are stored in the
recent list, until they are removed again?
The requested "any comments / suggestions" section:
Maybe also put a timelimit on the whitelist, since IPs added there will be
most likely dynamic ones, otherwise they would probably have been added to
another permanent whitelist.
Possibly strange ideas: If a certain IP makes it to a certain level of
blacklisting, drop everything --state NEW from them, not just ssh (dropping
also established things might allow a too powerful and easy DOS)
Add a host to a special whiltelist after doing something special, like
connecting to a certain port, which would lower the risk of a DOS (they can
still try, but you can override it)
I haven't used the -rttl option either, but I did monitor the TTLs of
dropped bruteforce attempts. Most different hosts also had different TTLs,
but packets from a single attacker never had different ones, so adding that
option should (at least at the moment) not result in significantly more
successful connection attempts than without.
Marius
