Re: Automatic blocking of attackers' IP

From: FEEB (feeb_at_chem.utoronto.ca)
Date: 09/07/04


Date: Tue, 07 Sep 2004 13:12:47 -0400 (EDT)

On 7 Sep 2004 16:56:58 GMT, Mark A. Odell wrote:

>"FEEB" <feeb@chem.utoronto.ca> wrote in
>news:srropurzhgbebagbpn.i3ohdhe.pminews@news1.chem.utoronto.ca:
>
>>>> I would like to have the following scenario implemented on my
network:
>>>>
>>>> 1.
>>>> Someone tries repeatedly and illegally to log in as 'admin', 'root'
or
>>>> whatever from some IP using SSH (or any other means).
>>>
>>>Why not just set hosts.deny to ALL: ALL and then open up only those IPs
>> or
>>>domains you wish to allow in hosts.allow?
>>
>> We must be open to anyone. That's our business :-)
>
>Ah. Then just put the bad IP or IP range into the hosts.deny. Of course
>this won't scale well for many IP addresses.

It would be quite inconvenient in our case of 4 full C-blocks.

The mechanism of blocking the intruder is available. However, I want to
do it automatically and only after the certain trigger level has been
reached. I know how to do it, I just do not want to reinvent the wheel.

Frank Bures, <feeb@chem.utoronto.ca>