[Gllug] iptables with 1000s of IP addresses
Daniel P. Berrange
dan at berrange.com
Sun Dec 28 19:18:35 UTC 2008
On Sun, Dec 28, 2008 at 05:51:25PM +0000, Richard Jones wrote:
> I've been slowly adding the IP addresses of people who (try to) add
> comment spam to my sites to a big IP drop list. Currently each IP in
> the list is just added to a DROP rule in the INPUT table.
>
> The list hit the 1000 mark recently (in fact, 1221 addresses right
> now) and is growing at ~ 50 new addresses / day.
How long do you see repeat hits from the same IP address for ? Assuming
the spammers are using a botnet of compromised windows machines, then
I'd expect the machines get re-installed after a while. So perhaps if
you didn't see any hits from a IP address for 14 days, you could remove
it from the block-list, and hopefully get the number of IP addresses to
reach a steady-state ?
Daniel
--
|: http://berrange.com/ -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org -o- http://ovirt.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://freshmeat.net/~danielpb/ -o- http://gtk-vnc.sourceforge.net :|
--
Gllug mailing list - Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug
More information about the GLLUG
mailing list