Menu
▾
▴
[Sshguard-users] init scripts, large blocks, hit counts
|
From: James H. <jam...@gm...> - 2015-05-06 20:46:08
|
I see the freebsd init script was removed from the repo. Was the script removed because it is broken or unwanted? I have a systmed unit file that I have been debating make a pull-up request for. I thought if at least an example unit file was included we might be able to encourage others to package sshguard for their preferred OS/distro. On another topic. I have see my current loaded blacklist is up to about 1260 addresses. Out curiosity I started writing some scripts to do some analysis of the IPs. My thought was maybe people that get issued a DHCP address from their provider start to reject addresses until till they get a new one that hasn't been blocked by their targets. I would guess those addresses are rather close to each other or at least issued to the same AS. If many attacks came from the same net block it would be faster to block a range of addresses. Fewer rules should make the firewall faster also it would be proactive blocking the other addresses they are likely to get. Sorting by AS I can see I have 39 hits from AS12876 from France which has 4 allocations but most of my hits are from only one. From AS4837 I have 38 blacklisted but they have several /16 or /15 ranges and my hits come from across many of them. From AS4134 I have 452 black listed and they also also have 20some /15/ or /16 allocated blocks. I can provide the scripts if anyone is interested. I pulled the AS data from Team cymru via their dns gateway http://www.team-cymru.org/IP-ASN-mapping.html#dns. Finally I was looking over the iptables capabilities and it looks like it is possible to get hit count on rules.I would suspect most of the backend support this. Would there be interest in adding hit count thrush holds to the temporary blocks, black listing promotions? So as the temporary rules continue to receive hits they should stay in place resetting the expire timer and given enough hits be promoted to a blacklist. Instead of waiting for several violations to occur only one may be needed. Then as the rule is continued to be triggered by likely attacks it can be extended or made permanent never opening the service back to the attacker. -- James Harris Software Engineer jam...@gm... |
