der.hans wrote:
|
| OK. Most people aren't running services from home, or so I have the
| impression based on ISP rules. I also run those, except s/imaps/dns/ :).
Most people don't have Speakeasy.net as their ISP, either. =op
We actually chose them specifically because they allow you to do
anything with your 'net connection -- even share it out to others. They
have a really geek-/tech- friendly AUP and staff, too.
See
http://www.speakeasy.net for more info. They usually have ads on
OSTG's ad servers and IIRC, they're still running a pretty good sale
through Slashdot, too. It's an ADSL based service, so if you're hooked
on cable's speed you might be a bit disappointed, but it's pretty
reliable and the service is great.
| Well, if he always comes from the same place, then you could hardcode
| allowing him in, and use port knocking for any other external addy. That
| way if you find yourself at a cafe with a laptop, a Net connection and a
| hankering to work on some code you have on the home box you can get in.
Now that's a great idea -- you can guess what I'll be doing tonight. =o)
| If he comes from multiple IPs, maybe his ISP changes his IP on a regular
| basis, you might still be able to do it but it gets hairy if he isn't too
| tech aware.
I /think/ that he's on a dynamic IP setup, but his IP probably doesn't
change very often (a little bit like Cox or some other cable providers).
A quick look into my utmp and wtmp logs can verify that.
| Unfortunately, that is the way things seem to be. The cops only have so
| many resources. Criminals and pranksters have more resources. At some
| point a threshold sets in and you have to cross it to get attention. No
| different for electronic stuff, except the threshold is much higher.
|
| Your ISP might care and might work with you.
Somehow I doubt it. I didn't realize how common these kinds of attacks
were until after I wrote that last email, so I figured it was something
unique. Since it seems to be a kind of manually assisted malware, I
doubt anybody would be even slightly interested in hunting it down.
Sortof like the last rash of codered attacks we went through, except
this time it's a few hundred people around the world doing it manually.
A blacklisting I go, I guess. *shrugs*
| speakeasy?
See above. =o)
| There are. I don't see anything in tcp-wrappers, but look at it because I
| might've missed something. 'man hosts.allow' to get started there.
I looked into it -- the Debian version of tcpwrappers gives a way to
call a shell script. I think I might have a way to build a shell script
that tracks repeated login attempts and essentially tarpit the
connection. It won't be pretty, but it'll work. =o)
Thanks for the pointer.
| Using firewall rules you can add stuff like that. Might not be too
| difficult with iptables. I haven't done it, but I know you can write
| reactive rules.
I had no idea reactive rules could be written using iptables. Definitely
something to look more closely into. If I figure something out, I'll let
everybody know on the list -- could come in handy in the future, I'm
sure. =o)
- --
June Tate *
http://www.theonelab.com *
june@theonelab.com
---------------------------------------------------
PLUG-discuss mailing list -
PLUG-discuss@lists.plug.phoenix.az.us
To subscribe, unsubscribe, or to change you mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
(text/plain)