[nos-bbs] Jnos memory leak with forwarding
Michael Fox - N6MEF
n6mef at mefox.org
Thu Oct 19 19:54:05 EDT 2017
Yes, well fail2ban does help even in the case of an attacker switching machines, because (at least as I’ve seen), they may have a dozen or two dozen machines that they rotate amongst and fail2ban takes care of keeping track of them. With judicious selection of the timers/counters, you can catch a lot. It can’t solve every problem, but it’s a good tool for repeat offender cases, even if the offender is a gang.
I see Maiko also reminded us of what he’s added (which I’m ashamed to admit, I forgot). I need to add that to my config. Defense in depth, as the phrase goes.
You can also perform rate limiting in iptables, both for an individual IP and generally to protect against DOS and DDOS. Rate limiting is always tricky in the general sense because you can end up blocking legitimate traffic. But for a specific application like JNOS, where you can probably define what type of connection activity you expect, especially from non 44/8, you can certainly throttle it there.
Lastly, I often use tcpdump, tshark, wireshark and/or additional iptables logging to capture suspect, intermittent traffic.
It’s sad that we have to expend so much time and effort to protect ourselves. But the bad guys are hard at work and getting trickier every day.
From: nos-bbs [mailto:nos-bbs-bounces at tapr.org] On Behalf Of Gustavo Ponza
Sent: Thursday, October 19, 2017 2:25 PM
To: nos-bbs at tapr.org
Subject: Re: [nos-bbs] Jnos memory leak with forwarding
Michael and all,
for what concerning the JNOS the problem is subtle, namely
do not appear as the regular telnet connect, and so for me
is almost impossible to register what really happens.
I can register the traffic on 5 min basis and not more.
I never used the fail2ban... but I think it go maid since
when you block an IP/Hostname the attacker switch to an
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the nos-bbs