On Sunday 2005-November-20 12:33, Michael D. Berger wrote:
> For blocking various attacks on ports 22 and 80,
> I have been using:
> -j REJECT --reject-with icmp-host-unreachable
> To minimize future attempts, is this best, or is
> there a better idea, such as DROP?
I doubt it matters much. I have seen, though, with my own approach of
"-m limit --limit 3/min --limit-burst 3 -j ACCEPT" (followed by a DROP
or REJECT rule) that -j REJECT does not always turn them away
immediately, whereas with -j DROP they usually give up. But my REJECT
uses the default, "--reject-with icmp-port-unreachable".
Insofar as concerns future attacks, as long as you have those ports
open, you will have bots and worms knocking on them. They are nothing
more than an annoyance if you have properly secured services.
I think the purpose of the SSH probes is to find more hosts from which
to launch these probes. :) And some of them are put to work in phishing
scams. The whole idea is to make it impossible to trace the phisher.
They probably decide who to attack by doing a port scan on 22 of the
entire Internet. When you're using stolen resources, there is no need
to conserve.
HTTP probes are similar except most of those seem to target MS IIS.
These are more likely to be operated by Internet mass-mail marketers,
a/k/a spammers.
--
mail to this address is discarded unless "/dev/rob0"
or "not-spam" is in Subject: header
