[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Login attacks



On Thu, 2004-12-09 at 02:02, Randy Kelsoe wrote:
> Serge de Souza wrote:
> 
> > Gerry Doris wrote:
> >  > I had so many problems with the 218.0.0.0/24 domain that I totally
> >
> >> blocked the entire domain.  I believe this domain is in Korea.
Again missed an OP, maybe I should filter out any mail which contains
the string "FC3" ;-)

Most of these login-attempts originate from a WIN-Virus, Ie the attacks
come from dial-up accounts of unsuspecting users. You're eventually
blacklisting the whole internet if you continue that ;-)

Go back in the archives, it was discussed about a month ago that it
might make sense to temporarily (for some hours) block the IPs in
question. After implementing a temporary block, my logs now show that
the attackers fall into the trap (by trying root/pw), get rejected a few
times on further attempts and do not come back after that.

Besides -- I guess this method would even work for a real, human
attacker. There are enough machines out there which justify *not* to
wait for 5 hours to continue a brute-force attack.
-- 
HaJo Schatz <hajo hajo net>
http://www.HaJo.Net

PGP-Key:  http://www.hajo.net/hajonet/keys/pgpkey_hajo.txt


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]