On Thu, 2004-12-09 at 02:02, Randy Kelsoe wrote: > Serge de Souza wrote: > > > Gerry Doris wrote: > > > I had so many problems with the 218.0.0.0/24 domain that I totally > > > >> blocked the entire domain. I believe this domain is in Korea. Again missed an OP, maybe I should filter out any mail which contains the string "FC3" ;-) Most of these login-attempts originate from a WIN-Virus, Ie the attacks come from dial-up accounts of unsuspecting users. You're eventually blacklisting the whole internet if you continue that ;-) Go back in the archives, it was discussed about a month ago that it might make sense to temporarily (for some hours) block the IPs in question. After implementing a temporary block, my logs now show that the attackers fall into the trap (by trying root/pw), get rejected a few times on further attempts and do not come back after that. Besides -- I guess this method would even work for a real, human attacker. There are enough machines out there which justify *not* to wait for 5 hours to continue a brute-force attack. -- HaJo Schatz <hajo@xxxxxxxx> http://www.HaJo.Net PGP-Key: http://www.hajo.net/hajonet/keys/pgpkey_hajo.txt
