On Tue, 2004-11-02 at 11:04 +0900, Joel wrote: > Permanent black holes are not a good idea, of course, and that was > discussed. I don't think I'd use the two day timeouts that someone > mentioned for his setup, I'd think more in terms of thirty minutes. > Possibly lengthen that a little if I got repeats. > I'm the guy who started out by describing his "fly-trap" technique with Portsentry and Shorewall and the poster of the two-day timeout. The reason I chose that period, iteratively and with careful trials, is that it resulted in (a) almost zero repeat attacks from IP addresses after being unblocked, and (b) only about 20 hosts in the entire Internet being blocked at any given time. The key in this case is careful selection of the "hostile" ports. However, any given technique you choose will have its own quirks and should be tested independently. Starting testing out at an hour and then expanding to see the results is eminently reasonable; I just thought you should know that two days works like a charm with THIS technique and on MY web server, over the last two years or so. Your mileage may (and probably will) vary, so of course test carefully. Cheers, -- Rodolfo J. Paiz <rpaiz@xxxxxxxxxxxxxx>
Attachment:
signature.asc
Description: This is a digitally signed message part
