On 4/9/2010 15:42, Benjamin Billon wrote:
This is also blocking Sina, Netease, Yahoo.cn and other major Chinese ISP/ESP. Am I the only to think this is not very smart?
It depends. I'am not a fan of country blocking. But in my case it can work for a home server. You could adapt the list and block port 22 only for production servers where you can't expect to never have email from China, but can safely block brute force ssh attacks.
Yep, home server, your server. That's not the same when you have customers who rely on your server. IMHO, port 22 and other critical ports should always be blocked except from known places.
I personally use a port knocking setup and it pretty much eliminates SSH brute force account/password hacks. Actually, on one box that didn't have the ability to do that, I simply moved the SSH port. This was surprisingly effective, although a bit inconvenient. I'll have to say that a very large number of the brute attempts were from Chinese IPs. Hopefully they're not reading this. ;-)