I do use fail2ban. The problem with it is that it only does a temporary
block of single IPs after they have been logged doing something else. I am
trying to be proactive. From fail2ban and other logs, I collect the
unwanted IPs and research them extracting known CIDR blocks of IPs to block
before they get to Joomla, Postfix or whatever, then set up the iptables to
monitor and drop. I don't monitor every dropprd packet, just the ones that
I am interested in at the moment. This particular frenchman has behaved
rather unusually, in that the "attack" has gone on from this address for so
On 6 July 2013 19:33, Johnathon Tinsley <kirrus(a)kirrus.co.uk> wrote:
If you're going to monitor and block these, I
would recommend using a tool
such as fail2ban, with the corresponding Wordpress plugin. After the nth
blocked ip, it really does get boring, and these attacks will be (and are)
On 6 Jul 2013, at 19:00, Keith Williams <keithwilliamsnp(a)gmail.com> wrote:
Thank you Ashley. Yes, I have researched the IP. It is from a block of IPs
based in France and most of the block are listed in a number of blacklists
and other reputation sites. There are other blocks, associated with this
one all have a dodgy reputation. At the moment, I have set up a chain in
iptables to label, log and dump these blocks.
A new one has appeared today, it was reported in the log as attempting to
use a known hack on Apache. It only tried once, but it was hardly a
friendly act. Research on it showed that it is in the range of IPs used by
a certain UK SEO company, scraping sites for information to sell to its
clients. This one was interesting though as it had no reports of actual
harm except, one well respected RBL database noted that it had appeared
yesterday linked to a malware installer. Hence, I suppose, the
attempted hack attack. More blocking and monitoring!
On 6 July 2013 18:04, Ashley Norris <ashley(a)norris.org.au> wrote:
On 05/07/2013 11:24, Daniel Case wrote:
Why not just null route the IP address
Just a quick note on this if you are doing it for the first time.
Some addresses can have thousands of NATed computers behind them. Or, if
the address is a VPN provider end point, then it will mean your system
can not be reached by many many people.
Just remember this when you block an IP, as six months from now you may
be chasing some other connectivity issue caused by the block, or the
next one, and so on...
Some simple checks before doing this might involve a reverse domain
lookup on the address or a GeoIP on the address. Finally, simply
remember that you did it, and maybe consider always removing bans after
a certain amount of time: 3-6 months, perhaps, hopefully after the idiot
harassing your server has moved on to doing something else...
Just my $0.02 worth,
+44 7414 661 023
users mailing list
Keith's Place www.keiths-place.co.uk
Tailor Made English www.tmenglish.org
West Norfolk RSPCA www.westnorfolkrspca.org.uk
users mailing list