[tech] Snort: should we block attacking hosts?
Daniel Axtens
dja at ucc.asn.au
Sat Feb 25 15:08:29 WST 2012
No, it's been commented out:
# Stop MS SQL server worms (why? disabling this rule for now - [law])
#$IPTABLES -A FROMOUTSIDE -p tcp --dport 1433 -j DROP
#$IP6TABLES -A FROMOUTSIDE -p tcp --dport 1433 -j DROP
-- d
On 21/02/2012, at 9:47 AM, Matt Johnston wrote:
> Isn't all that rubbish already firewalled though?
>
> Matt
>
> On Tue, Feb 21, 2012 at 12:16:28AM +0800, Anil Sharma wrote:
>> I'm not a computer scientist, but ...
>>
>> If blocking these hosts is trivial to automate, I'm all for it. It
>> means we also block attacks coming from them that we can't detect.
>>
>> On 20 February 2012 23:04, Grahame Bowland <grahame at angrygoats.net> wrote:
>>> Hey
>>>
>>> Do you care about MS-SQL attacks? Seems like it's probably wasted effort.
>>>
>>> On 20 February 2012 22:59, Daniel Axtens <danielax at gmail.com> wrote:
>>>>
>>>> Greetings!
>>>>
>>>> Perusal of the daily snort emails shows that much of the alerts are
>>>> generated by a relatively small number of hosts, mostly trying to propagate
>>>> some sort of MS-SQL worm.
>>>>
>>>> What are people's opinions on setting up fail2ban to drop traffic coming
>>>> from hosts who send lots of known-bad traffic?
>>>>
>>>> The obvious downside is potential DOS on valid users. How big is this risk
>>>> and do we care?
>>>>
>>>> Thanks in advance,
>>>> -- d
>>>
>>>
More information about the tech
mailing list