Login attacks

[John Summerfield]

On Thursday 09 December 2004 07:19, Kostas Sfakiotakis wrote:
> All  i mean is that if someone just start's blocking  entire ranges , then
> he might very well end up unable to surf half the Internet or even more .
> Is there a way to block for example the range from
> 64.0.0.1 to 64.0.0.25 leaving the other IP's free ?

We are talking about blocking incoming connexions. This has no implications 
for outgoing.

In considering your firewall settings, review what services you offer and to 
whom.
At school we have web, incoming and outcoming mail (SMTP and IMAP). And SSH 
and VPN.

Web is theoretically accessible to all.
Ditto incoming mail.
VPN connexions are only appropriate from our local area.
Boss travels the world and wants access to his mail; one way to ensure this is 
make imap accessible to all.
We'll assume nobody needs ssh connexions outside our area.

This clarifies what I can and cannot block: I can allow SSH for just our local 
area, I can allow IMAP to our local area plus the areas the boss is likely to 
visit, or a means for him to enable it remotely.

Note that if you're running your own mail service and have secondary MXes, 
blocking selected areas with firewall rules is likely to be less effective 
than you might expect; a significant amount of the spam that gets into my 
setup does so through a designated MX.


I've recently created separate zones in my shorewall rules to be picky about 
sources of ssh connexions and it's reduced the incidents of failed logins 
significantly.


-- 

Cheers
John Summerfield
tourist pics: http://environmental.disaster.cds.merseine.nu/