NetBSD-Users archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: Blocking offending IPs : How many are too many to handle for npf?





On 24/05/2018 03:05, Mayuresh wrote:
On Thu, May 24, 2018 at 01:55:23AM +0000, Christos Zoulas wrote:
You could collect data for a few days and then make some entries permanent :-)

Sure. May be I'd look forward to blocklistd to add 1 more column in its
conf: "no. of repeat offences before being permanently blocked"! :-)

That was the what I found crept up over time with the sshguard algorithm which gradually increased the block time for each group of offences until it became permanent.

It never impacted performance but it just seems slightly crazy and over aggressive to permanently ban an IP. Based on what blacklistd does even repeat offenders get cleaned up eventually (at least the SSH scanning ones do). Certain IP subnets are scan sources more often than others but even then it tends to be one or two ips in that block at a time.

I use 6 attempts as the block threshold and block for 6 hours on SSH. That seems to stop too much in the way of probing. My current blacklistd table has lots of hosts that have made 1 connect attempt but I never seem to see more than 1 or 2 hosts blocked.

Mike


Home | Main Index | Thread Index | Old Index