Am 09. Dec, 2004 schwätzte June Tate so: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > der.hans wrote: > | > | OK. Most people aren't running services from home, or so I have the > | impression based on ISP rules. I also run those, except s/imaps/dns/ :). > > Most people don't have Speakeasy.net as their ISP, either. =op :) > We actually chose them specifically because they allow you to do > anything with your 'net connection -- even share it out to others. They > have a really geek-/tech- friendly AUP and staff, too. I know a few people who've had complaints, but I think speakeasy generally has a good rep. > See http://www.speakeasy.net for more info. They usually have ads on > OSTG's ad servers and IIRC, they're still running a pretty good sale > through Slashdot, too. It's an ADSL based service, so if you're hooked > on cable's speed you might be a bit disappointed, but it's pretty > reliable and the service is great. > > | Well, if he always comes from the same place, then you could hardcode > | allowing him in, and use port knocking for any other external addy. That > | way if you find yourself at a cafe with a laptop, a Net connection and a > | hankering to work on some code you have on the home box you can get in. > > Now that's a great idea -- you can guess what I'll be doing tonight. =o) And by doing so you missed the party/meeting and thereby the cheesecake... > | If he comes from multiple IPs, maybe his ISP changes his IP on a regular > | basis, you might still be able to do it but it gets hairy if he isn't too > | tech aware. > > I /think/ that he's on a dynamic IP setup, but his IP probably doesn't > change very often (a little bit like Cox or some other cable providers). > A quick look into my utmp and wtmp logs can verify that. > > | Unfortunately, that is the way things seem to be. The cops only have so > | many resources. Criminals and pranksters have more resources. At some > | point a threshold sets in and you have to cross it to get attention. No > | different for electronic stuff, except the threshold is much higher. > | > | Your ISP might care and might work with you. > > Somehow I doubt it. I didn't realize how common these kinds of attacks > were until after I wrote that last email, so I figured it was something > unique. Since it seems to be a kind of manually assisted malware, I > doubt anybody would be even slightly interested in hunting it down. > Sortof like the last rash of codered attacks we went through, except > this time it's a few hundred people around the world doing it manually. > > A blacklisting I go, I guess. *shrugs* That's one way. Setup blacklists to lock IPs out for a few days and see if that helps. > | speakeasy? > > See above. =o) > > | There are. I don't see anything in tcp-wrappers, but look at it because I > | might've missed something. 'man hosts.allow' to get started there. > > I looked into it -- the Debian version of tcpwrappers gives a way to > call a shell script. I think I might have a way to build a shell script > that tracks repeated login attempts and essentially tarpit the > connection. It won't be pretty, but it'll work. =o) Yup. > Thanks for the pointer. NP. > | Using firewall rules you can add stuff like that. Might not be too > | difficult with iptables. I haven't done it, but I know you can write > | reactive rules. > > I had no idea reactive rules could be written using iptables. Definitely > something to look more closely into. If I figure something out, I'll let > everybody know on the list -- could come in handy in the future, I'm > sure. =o) You can also shell out from iptables. Sounds scary, but is reported to work. We had a presentation on that a few years back. Well, it was on iptables, but they showed userland filtering as well. Hmm, I know someone who did reactive stuff do to SPAM. http://www.usenix.org/events/lisa02/tech/mikula.html Looks like the full paper is there, so ignore the warning about needing a USENIX membership :). If there's a problem let me know and I'll get you a copy. Note: friend no longer works at the ISP mentioned in the paper, so no one feels obligated to say nice things about it. Hmm, I don't think any of the paper's authors are still at the ISP. ciao, der.hans -- # https://www.LuftHans.com/ http://www.AZOTO.org/ # "But you could teach these skills to a high-school student, and you could # probably teach them to an artist." -- Richard Roberts --------------------------------------------------- PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us To subscribe, unsubscribe, or to change you mail settings: http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss