Always Learning wrote: > > On Mon, 2011-08-29 at 15:31 -0400, m.roth at 5-cent.us wrote: > >> Sorry, not a lunatic. Your website's name has been harvested, and added >> to >> some black-market commercial or script kiddie toolkit, and it's on >> infected servers around the world. Take it from me... (I'm a contractor >> for a US Federal Gov't agency*, and we get *tons*. > > It would be nice if Uncle Sam went after the pests. Please. We don't want "unintended consequences" (as in, you're running these servers open to the 'Net? Why, you should....)* > > The attacks are not automatic. The loony is currently having difficulty > finding vulnerable IPs and concentrating his efforts on a Japanese > company with very lax security (7 IPs at the same place so far). Sounds like that may be their attack vector. I'd expect it to spread. > >> Check out fail2ban. It works very nicely. > > Mark, > >>From http://www.fail2ban.org/wiki/index.php/Main_Page > it states: > > Fail2ban scans log files like /var/log/pwdfail > or /var/log/apache/error_log and bans IP that > makes too many password failures. It updates > firewall rules to reject the IP address. > > I would like, if possible, to identify the fragments in IP tables and > instantly block the packets thus preventing them entering the remainder > of the server. Fail2ban does not do this. My current blocking > requirement is specialised. You might want to try it, anyway. It takes care of a *lot* of other attacks, too. mark * Forgot this on the last post: ObDisclaimer: I do not speak for the US Federal Gov't, nor for my employer; I speak (and rant) only for myself.