Date: Thu, 28 Sep 2006 08:21:41 +0000 From: Josh Paetzel <josh@tcbug.org> To: freebsd-chat@freebsd.org Subject: Re: Party Message-ID: <200609280821.41963.josh@tcbug.org> In-Reply-To: <200609271926.14172.soralx@cydem.org> References: <20060920104047.GA49442@splork.wirewater.yow> <5dc6f198bfa0075cef0c190d90351273@FreeBSD.org> <200609271926.14172.soralx@cydem.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thursday 28 September 2006 02:26, soralx@cydem.org wrote: > > garbage, in my inbox. It seems after every ssh-bruteforce wave, > > there's a spike in spam distribution. So the problem just keeps > > showing up. To me, it seems like there's hordes of vandals > > running about torching the town, and generally causing havoc. I > > guess I just > > What can be done to keep the logs neat (i.e., free from the > ssh-bruteforce garbage) is this: for a given number of login > failures (e.g., 8), add an ipfw rule that blocks all traffic from > the offending IP#. Of course, this has got to be automatized > (script?). I used to add the rules manually, as an experiment, and > I found that attacks from one IP# do repeat, though very seldom > (the period may be as long as a few months). The rule list will > grows without bounds :( I figure, this reduces the amount of > recieved spam slightly too. > Yes, not a novel idea (to phrase it soflty); yet, I actually tested > it, found that there's net gain from doing that (as small as it may > be), and no noticeable bad consequences. > > [SorAlx] ridin' VN1500-B2 Between AllowUsers and disabling password authentication via ssh it sort of amuses me to see people try to get in on the few machines that I have to allow global ssh access to. Perhaps I have a sick sense of humor. I have also noticed that the IPs are different every day, although I once had over 1000 attempts a day for 2 weeks straight from the same IP. I sure wish I could've sent that one a smug taunting email. There are tons of scripts that can add IPs to firewalls after x number of attemps floating around, I could probably dodge a lot of it by running ssh on an alternate port, but then I'd have to find something besides reading the logs to amuse myself with. Spam on the other hand is a more vexing problem. Sure, I apply the usual band-aids, SA, RBLs, configuring Postfix to not play nicely with non RFC compliant clients but for all that I'm treating symptoms instead of the disease. The only viable solution to the problem of spam that I can see (and I'm positive that it would never happen) is an international agency tasked to track down and punish the people responsible for spam. They'd have to have the power to go after these people no matter what country they were hiding in, the resources to make a dent in the problem, and the cooperation of a significant percentage of mail admins on the net. Perhaps a slightly more likely scenario would be to make it a crime to run an open relay? I'd also like to see ISPs take measures to protect the net from trojaned windows machines on high-speed DSL and cable connections....perhaps allowing access only to their mailservers? Anyways, enough pipe dreams, I have to get back to reading my logs. -- Thanks, Josh Paetzel
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200609280821.41963.josh>