> > On Wed, Aug 27, 2008 at 4:41 AM, Burke, Thomas G. <tg.burke@xxxxxxx>wrote: >> Personally, I just blocked all of apnic... They're the source of over 90% >> of my issues, and I don't really care if I make them mad. >> > On Wed, Aug 27, 2008 at 4:52 AM, George Magklaras <georgios@xxxxxxxxxxxxx>wrote: > I do not normally bother following up on reports on all attacks. Most of > them are scripted and there are too many. So, my IPS/IDS has a good list of > 'not-to-block' IP addresses and whatever else outside this IP list attacks > any service is blocked. Most good IPS/IDS vendors also provide near > real-time lists of network blocks, especially from countries with large ISP > segments that typically consist of various classes of IP blocks for home > DSL/dialup customers, where most of the compromised PCs serve botnets and > malicious scripters. This keeps the number of IPTABLES rules down and can > block most of these annoying attacks. > > GEO-IP blocking may also help if you definitely know that you should not be > expecting traffic from any part of the world. Problem is you need to update > the ip list regularly and be ready to accept some false positives from IPs > that suddenly are legit. > > For other types of more persistent and unusual attacks, you need to get in > touch with the CERT team of a major telco provider. They are keen to know of > these issues and if they provide the backbone of your connectivity, maybe > there is part of your SLA that covers these sort of things, generally > speaking. > Your insights and suggestions are appreciated, thank you. Jose R R http://www.metztli-it.com -- redhat-list mailing list unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list
