Autor: W B Hacker Fecha: A: exim users Asunto: Re: [exim] DOS attack. What to do?
Rob Munsch wrote: > W B Hacker wrote:
>
>> Primary target is our oldest *.net domain, and a chunk of
>> dictionary-attack non-existent users with the NetSol-WHOIS published
>> domain contact address included makes up the pattern.
>>
>>
> I'm using DenyHosts for this particular angle; had it set very, very
> forgiving and denying only ssh, but expanded gradually towards "piss of
> one tripwire and all the rest preemptively ignore you" sort of system.
> Have any thoughts on it?
>
> Due to the shared-central thresholding (an interesting
> community-consensus feature that seems to make it poison resistant), and
> its 100% accuracy so far*, i was thinking of having exim use it as a
> local blacklist, but... not sure how good an idea that is.
>
> * first 2 weeks i had the thing up, i manually looked up every IP it
> didn't like. I wound up with a hit for the usual suspects on all of
> 'em, so much so that i have begun to memorize netblocks, quite against
> my will. My brain hurts.
>
> Thoughts? Experiences? Strong contraindications, misgivings,
> superstitions or recommended rituals?
>
Concept looks like something we do more or less manually on data from (only) our
own servers. Should be valid.
Personally, however, seeing either 'Linux' or 'script' puts me off, and both in
the same sentance, adjacent, is the kiss of death...