----- On Apr 29, 2020, at 3:15 PM, mel mel@beckman.org wrote: Hi Mel,
A clever idea to be sure, but it seems open to abuse. What stops someone from forging a tcp syn from every /24 on the Internet, causing you to blackhole your access to everywhere?
Fair point, and I lied a bit. My code relies on inet_ntoa(client_addr.sin_addr)) after accept(), so technically it requires a bit more than just a SYN. But the basic idea is that anyone connecting to IPs that they should not be connecting to, will be nullrouted from the network for 30 days. The bad guys automate scanning, I automate blocking. In the old days (pre-9/11), scriptkiddie-me would simply send a teardrop. Luckily I have matured slightly since that time. Thanks, Sabri
On Apr 29, 2020, at 2:24 PM, Sabri Berisha <sabri@cluecentral.net> wrote:
----- On Apr 29, 2020, at 9:08 AM, Stephen Satchell list@satchell.net wrote:
Hi,
That said, I use TCPWRAPPER to limit access to SSH to specific IP addresses. I process my LogWatch messages manually. I pull the fire alarm for showshoe probes, and excessive number of probes (over 30 in a 24-hour period). No registered abuse@ address in the WHOIS? The offending netblock goes into my edge router ACL, because I have learned that ne'er-do-wells without working abuse@ usually have other bad habits.
I have a very simple method to deal with that: a server with no other purpose than to blackhole portscanning culprits. Send so much as a tcp syn to port 22 and your entire /24 goes to null0 for a month. I have a few exceptions for entities that I know are responsive to abuse@, but that's it.
Highly effective.
Thanks,
Sabri