On Tue, 4 Aug 2009, Hiers, David wrote:
I've always been a bit slow on the draw with the whole "reflexively block an address" thing.
It'd be just my luck to reflexively block one of my provider's addresses...
SSHguard uses a whitelist to prevent this. Additionally, you can specify how many failed transactions occur in a period of time before you block, and how long it is blocked before it is unblocked (automagically). A legit but badly configured customer can DOS an Asterisk instance with AUTH or register requests, and in this case, blocking them to allow legit customers to connect actually does something good. You can block after 100+ attempts in 1 minute for example, or 100 over an hour. Your choice. The fact that sshguard can be used for multiple services is where I believe its power lies. If I can get socat working, sshguard can dynamically block HTTP server scans (more than 100 404's in 1 minute for example), block SIP AUTH scans, etc. --------------------------------------------------------------------------- Peter Beckman Internet Guy beckman at angryox.com http://www.angryox.com/ ---------------------------------------------------------------------------