[CentOS] Paranoid Firewalling

Tue Sep 6 18:33:56 UTC 2005
Kirk Bocek <t004 at kbocek.com>

Scot L. Harris wrote:
> Actually this won't reduce any bandwidth to your server.  The probes
> still hit that address, you are just blocking those packets in iptables
> from begin able to get any further.  

Are you saying that the single connect-and-drop that this scheme introduces is going 
to use the same bandwidth as a brute-force password attack on hundreds of login names?

> If you could implement this further up the line then you could reduce
> traffic to your servers.

Sure, that would be good. <SARCASM> Do you think I can get SBC to implement custom 
filtering for our DSL? </SARCASM> ;)

> Putting a blanket deny on traffic from specific IP ranges is effective
> if attacks are coming from those ranges.  The problem is that hackers
> will typically want to use an intermediate site to launch an actual
> attack from.  This makes it harder to trace the actual source of the
> attack.  At least good hackers do this.  Script kiddies don't know to do
> this.  

If you read the article, you'll see that the author suggests that the traffic is 
probably coming from zombied personal machines in the far east occurring as a result 
of a lack of security knowledge and awareness in those new to the net.

I don't expect this to be perfect, just an additional step to protect my servers.

Kirk Bocek