Menu
▾
▴
Re: [Sshguard-users] blacklisting IPs that are whitelisted
|
From: James H. <jam...@gm...> - 2015-07-23 21:43:58
|
I had been looking at two idea, first blocking subnets when a certain number of ips had been blocked. Thus replacing like 128 rules with one if half of a class c was blocked. Another option is to look up the AS of the ips, and when enough bad guys from one AS show up just block all the IPs there. Many of these attackers can force a provider to give them another IP but few go to the trouble of changing providers. I suspect blocking by AS will have the same thing as blocking by country where these attacks most often originate. On Thu, Jul 23, 2015 at 12:52 PM, Greg Putrich <gr...@n0...> wrote: > @lbutlr said: > > If there were a reliable way to block all of russia and china, that > would be great. Heck, other than a few connections from Western Europe and > Africa I could safely block the rest of the world. > > > > I would like to tune the behavior a bit (for example, attempts to ssh as > root should count for like 21 so that two attempts result in a blacklist. > (since I do not allow ssh access to the root account). > > Can find networks in China & North Korea at: > http://okean.com > > > > ------------------------------------------------------------------------------ > _______________________________________________ > Sshguard-users mailing list > Ssh...@li... > https://lists.sourceforge.net/lists/listinfo/sshguard-users > -- James Harris Software Engineer jam...@gm... |
