On Jan 12, 2009, at 3:24 PM, James B. Byrne wrote: > It is evident that this attacker had more than one netblock > available. It > is conceivable that, instead of serially attacking us, they could just > have easily attempted multiple simultaneous connections from all of > their > available IP addresses. This would completely defeat the current > throttle > rules. Should I also throttle the total number of new connections > from > all IPs? you might be better served by adding an additional layer of defense e.g. denyhosts (which you can get from Dag). it's pretty good at deflecting brute-force attacks, especially if you enable synchronization mode in order to learn about hostile IPs before they hit you. initial setup should be a matter of minutes, i'd expect. a useful trick to keep your hosts.deny file from growing to massive size is to use the hosts.evil include mechanism: Can I use a non-standard hosts.deny file? (http://denyhosts.sourceforge.net/faq.html#2_6 ) -steve -- If this were played upon a stage now, I could condemn it as an improbable fiction. - Fabian, Twelfth Night, III,v -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 2209 bytes Desc: not available URL: <http://lists.centos.org/pipermail/centos/attachments/20090112/8c2c3d7e/attachment-0005.p7s>