I do use fail2ban. The problem with it is that it only does a temporary block of single IPs after they have been logged doing something else. I am trying to be proactive. From fail2ban and other logs, I collect the unwanted IPs and research them extracting known CIDR blocks of IPs to block before they get to Joomla, Postfix or whatever, then set up the iptables to monitor and drop. I don't monitor every dropprd packet, just the ones that I am interested in at the moment. This particular frenchman has behaved rather unusually, in that the "attack" has gone on from this address for so long.


On 6 July 2013 19:33, Johnathon Tinsley <kirrus@kirrus.co.uk> wrote:
If you're going to monitor and block these, I would recommend using a tool such as fail2ban, with the corresponding Wordpress plugin. After the nth blocked ip, it really does get boring, and these attacks will be (and are) never ending. 


On 6 Jul 2013, at 19:00, Keith Williams <keithwilliamsnp@gmail.com> wrote:

Thank you Ashley. Yes, I have researched the IP. It is from a block of IPs based in France and most of the block are listed in a number of blacklists and other reputation sites. There are other blocks, associated with this one all have a dodgy reputation. At the moment, I have set up a chain in iptables to label, log and dump these blocks.
 
A new one has appeared today, it was reported in the log as attempting to use a known hack on Apache. It only tried once, but it was hardly a friendly act. Research on it showed that it is in the range of IPs used by a certain UK SEO company, scraping sites for information to sell to its clients. This one was interesting though as it had no reports of actual harm except, one well respected RBL database noted that it had appeared yesterday linked to a malware installer. Hence, I suppose, the attempted hack attack. More blocking and monitoring!


On 6 July 2013 18:04, Ashley Norris <ashley@norris.org.au> wrote:
On 05/07/2013 11:24, Daniel Case wrote:
> Why not just null route the IP address

Just a quick note on this if you are doing it for the first time.

Some addresses can have thousands of NATed computers behind them. Or, if
the address is a VPN provider end point, then it will mean your system
can not be reached by many many people.

Just remember this when you block an IP, as six months from now you may
be chasing some other connectivity issue caused by the block, or the
next one, and so on...

Some simple checks before doing this might involve a reverse domain
lookup on the address or a GeoIP on the address. Finally, simply
remember that you did it, and maybe consider always removing bans after
a certain amount of time: 3-6 months, perhaps, hopefully after the idiot
harassing your server has moved on to doing something else...

Just my $0.02 worth,

Ash

--
---
Ashley Norris
Oxford, UK
+44 7414 661 023
----------------

_______________________________________________
users mailing list
users@lists.bitfolk.com
https://lists.bitfolk.com/mailman/listinfo/users



--
Keith Williams
 
Keith's Place  www.keiths-place.co.uk
 
Tailor Made English   www.tmenglish.org
 
West Norfolk RSPCA www.westnorfolkrspca.org.uk
 
 
 
_______________________________________________
users mailing list
users@lists.bitfolk.com
https://lists.bitfolk.com/mailman/listinfo/users



--
Keith Williams
 
Keith's Place  www.keiths-place.co.uk
 
Tailor Made English   www.tmenglish.org
 
West Norfolk RSPCA www.westnorfolkrspca.org.uk