Re: fail2ban vs. syslogd compression

On Wednesday 29 August 2007 03:56, G.W. Haywood wrote:
> Most offenders
> are blocked permanently, at the last count we're blocking about 27,750
> ranges.  Our scripts could handle the 'repeat' messages if they needed
> to, but they don't.  The script kiddies don't get five tries, we block
> them after the first. :)

Forgive me, but as I understand IP and the whole DHCP concept and whatnot, IP addresses ARE reused after some time. I rarely have the same internet address for more than a month -- and if I randomly ended up with one of your blocked addresses, wouldn't I be an innocent victim?

Given the dynamic nature of the internet in general, doesn't it make more sense to block for, maybe 2 months, tops?

This isn't meant to downcast your job or anything, I'd just like to know the reasoning behind permanent versus temporary blocks (I use temporary, and it's always done well for me).

fail2ban blocks for 10 minutes; 10 minutes has thus far been enough to stop all but the most determined script kiddies, who are then blocked again (and again until they stop). Even using a 450mhz pentium II for my router/firewall, it's not even a noticeable load on the system.

-- 
Sincerely,
Jack
jakykong@theanythingbox.com

My GPG Public Key can be found at:
https://www.theanythingbox.com/pgp.htm (top link is current)
I appreciate signatures, but if you only know me online,
please use the --lsign-key, not the --sign-key.
I appreciate trust -- but too much makes it less valuable.

-- To UNSUBSCRIBE, email to debian-security-REQUEST@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org