[tech] Snort: should we block attacking hosts?

Daniel Axtens dja at ucc.asn.au
Sat Feb 25 15:08:29 WST 2012


No, it's been commented out:

# Stop MS SQL server worms (why? disabling this rule for now - [law])
#$IPTABLES -A FROMOUTSIDE -p tcp --dport 1433 -j DROP
#$IP6TABLES -A FROMOUTSIDE -p tcp --dport 1433 -j DROP

-- d

On 21/02/2012, at 9:47 AM, Matt Johnston wrote:

> Isn't all that rubbish already firewalled though?
> 
> Matt
> 
> On Tue, Feb 21, 2012 at 12:16:28AM +0800, Anil Sharma wrote:
>> I'm not a computer scientist, but ...
>> 
>> If blocking these hosts is trivial to automate, I'm all for it. It
>> means we also block attacks coming from them that we can't detect.
>> 
>> On 20 February 2012 23:04, Grahame Bowland <grahame at angrygoats.net> wrote:
>>> Hey
>>> 
>>> Do you care about MS-SQL attacks? Seems like it's probably wasted effort.
>>> 
>>> On 20 February 2012 22:59, Daniel Axtens <danielax at gmail.com> wrote:
>>>> 
>>>> Greetings!
>>>> 
>>>> Perusal of the daily snort emails shows that much of the alerts are
>>>> generated by a relatively small number of hosts, mostly trying to propagate
>>>> some sort of MS-SQL worm.
>>>> 
>>>> What are people's opinions on setting up fail2ban to drop traffic coming
>>>> from hosts who send lots of known-bad traffic?
>>>> 
>>>> The obvious downside is potential DOS on valid users. How big is this risk
>>>> and do we care?
>>>> 
>>>> Thanks in advance,
>>>> -- d
>>> 
>>> 



More information about the tech mailing list