Hello all.
We had a thread going a while back (I think on the
users list, though), in which we discussed the idea of completely eliminating
various countries who generate a lot of hacking activity from being able to
access servers.
The problem/discussion was how to do it. Gerald was
kind enough to share his ip address list for Korea that he painstakingly
compiled. With about 100 entries, it looked pretty daunting.
In reading a book, I came across a realization, you
don't have to use IP addresses. This logical too, I guess. They talk about how
you could deny AOL users, with the followign in your hosts.deny
ALL: .aol.com
Naturally, I thought, why couldn't I just do the
following to kill off Korea easily:
ALL: .kr
My questions/thoughts are 2....
1) It seems that the longer your hosts.deny, the
worse server performance one can expect. True/Untrue or insignificant until you
have a billion or so entries?
2) I noticed that many of my port sentry log
entries contain only ip addresses - no domain names. I later find out via ARIN
that these come from Korea or whereever. Does anyone know, off hand, if an entry
such as .kr would stop that? I guess the question is whether the system did a
reverse lookup and just didn't show it to me always, or if it was unable to do
the reverse lookup.
There is also a PARANOID option, which can be put
in hosts_options, which is used if "you want tcpd to drop hosts when their
hostname doesn't match their IP addresses". This seems like it could be fun to
play with - would only allow people on "the up and up" into the
server....
Thoughts?
Rick Ewart
|