On Jan 12, 2009, at 3:24 PM, James B. Byrne wrote:
It is evident that this attacker had more than one netblock available. It is conceivable that, instead of serially attacking us, they could just have easily attempted multiple simultaneous connections from all of their available IP addresses. This would completely defeat the current throttle rules. Should I also throttle the total number of new connections from all IPs?
you might be better served by adding an additional layer of defense e.g. denyhosts (which you can get from Dag). it's pretty good at deflecting brute-force attacks, especially if you enable synchronization mode in order to learn about hostile IPs before they hit you. initial setup should be a matter of minutes, i'd expect.
a useful trick to keep your hosts.deny file from growing to massive size is to use the hosts.evil include mechanism:
Can I use a non-standard hosts.deny file? (http://denyhosts.sourceforge.net/faq.html#2_6 )
-steve
-- If this were played upon a stage now, I could condemn it as an improbable fiction. - Fabian, Twelfth Night, III,v