From: Robert T W. <rob...@ma...> - 2007-05-18 22:02:38
|
Laine Lee wrote: > -- I haven't done a complete analysis by any means, but I think I'm getting the results I want by having DenyHosts monitor the secure.log file rather than the asl.log file. It appears that there is at least one corresponding DenyHosts-friendly entry in secure.log for each range of the DenyHosts-inappropriate entries in asl.log, and the hosts.deny file is now being populated with IP addresses from which I'm sure hostile connection attempts originated. So far, no successful logins have triggered a hosts.deny entry. I'm planning to try this configuration for awhile before I make more changes. Regards, Laine Lee The $64,000 question though is whether your hosts.deny entries are being populated by attacks against your machine or whether it is being populated by downloading from the sync server (in my experience the attacks against my machine have come mostly from the same IPs that others have blocked and posted to the sync server). I can only tell by examining my sync log, fwiw, ymmv. Ideally, you want attacks against your machine to trigger new entries as well as having the synced IPs blocked. Naturally, if you are not using the sync server, the answer is clear. |