-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 der.hans wrote: | | OK. Most people aren't running services from home, or so I have the | impression based on ISP rules. I also run those, except s/imaps/dns/ :). Most people don't have Speakeasy.net as their ISP, either. =op We actually chose them specifically because they allow you to do anything with your 'net connection -- even share it out to others. They have a really geek-/tech- friendly AUP and staff, too. See http://www.speakeasy.net for more info. They usually have ads on OSTG's ad servers and IIRC, they're still running a pretty good sale through Slashdot, too. It's an ADSL based service, so if you're hooked on cable's speed you might be a bit disappointed, but it's pretty reliable and the service is great. | Well, if he always comes from the same place, then you could hardcode | allowing him in, and use port knocking for any other external addy. That | way if you find yourself at a cafe with a laptop, a Net connection and a | hankering to work on some code you have on the home box you can get in. Now that's a great idea -- you can guess what I'll be doing tonight. =o) | If he comes from multiple IPs, maybe his ISP changes his IP on a regular | basis, you might still be able to do it but it gets hairy if he isn't too | tech aware. I /think/ that he's on a dynamic IP setup, but his IP probably doesn't change very often (a little bit like Cox or some other cable providers). A quick look into my utmp and wtmp logs can verify that. | Unfortunately, that is the way things seem to be. The cops only have so | many resources. Criminals and pranksters have more resources. At some | point a threshold sets in and you have to cross it to get attention. No | different for electronic stuff, except the threshold is much higher. | | Your ISP might care and might work with you. Somehow I doubt it. I didn't realize how common these kinds of attacks were until after I wrote that last email, so I figured it was something unique. Since it seems to be a kind of manually assisted malware, I doubt anybody would be even slightly interested in hunting it down. Sortof like the last rash of codered attacks we went through, except this time it's a few hundred people around the world doing it manually. A blacklisting I go, I guess. *shrugs* | speakeasy? See above. =o) | There are. I don't see anything in tcp-wrappers, but look at it because I | might've missed something. 'man hosts.allow' to get started there. I looked into it -- the Debian version of tcpwrappers gives a way to call a shell script. I think I might have a way to build a shell script that tracks repeated login attempts and essentially tarpit the connection. It won't be pretty, but it'll work. =o) Thanks for the pointer. | Using firewall rules you can add stuff like that. Might not be too | difficult with iptables. I haven't done it, but I know you can write | reactive rules. I had no idea reactive rules could be written using iptables. Definitely something to look more closely into. If I figure something out, I'll let everybody know on the list -- could come in handy in the future, I'm sure. =o) - -- June Tate * http://www.theonelab.com * june@theonelab.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFBuTvfiLw1iDrV/zwRAqJZAJ9aT0aWqme22sG+LQdJJtL1BBsC3QCfeerV uS7TLMJjudpWt2byYm9F0ME= =8RoN -----END PGP SIGNATURE----- --------------------------------------------------- PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us To subscribe, unsubscribe, or to change you mail settings: http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss