[Gllug] Router under attack: help/advice needed

David Damerell damerell at chiark.greenend.org.uk
Thu Oct 1 14:16:57 UTC 2009


On Wednesday, 30 Sep 2009, John Edwards wrote:
>David Damerell:
>>Because of the nature of the current attacks, I want to keep
>>count of failed logins indefinitely (the f2b default ten-minute memory
>>won't catch the current lot at all) 
>To be honest, the main idea of fail2ban is that once the attacks
>are blocked they will go elsewhere.

I think you misunderstand - the current clever attack pattern is that
each individual machine probes you only every few hours, with the
total search space being distributed. Such an attack is never blocked
by fail2ban running with a short memory, and the attackers can probe
the entire search space.

>By having multiple conf files for each service, you should be able
>to have different triggers and timeouts for different usernames.

Not impossible, certainly.

-- 
David Damerell <damerell at chiark.greenend.org.uk> Oil is for sissies
Yesterday was First Gouday, September.
Today is First Chedday, September - a public holiday.
Tomorrow will be First Stilday, September - a weekend.
-- 
Gllug mailing list  -  Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug




More information about the GLLUG mailing list