[nos-bbs] Jnos memory leak with forwarding

Gustavo Ponza g.ponza at tin.it
Fri Oct 20 03:58:27 EDT 2017 

Hi Michael,

TNX for this on deep explanation. Hope to study the fail2ban
as soon the time permit.

However Maiko made a great job on this 'tcp access' and
'blacklist' features and I'm confident that almost many
if not all accesses should be banned :)

73, gus

On 10/20/2017 01:54 AM, Michael Fox - N6MEF wrote:
>
> Hi Gus,
>
> Yes, well fail2ban does help even in the case of an attacker switching 
> machines, because (at least as I’ve seen), they may have a dozen or 
> two dozen machines that they rotate amongst and fail2ban takes care of 
> keeping track of them.  With judicious selection of the 
> timers/counters, you can catch a lot.  It can’t solve every problem, 
> but it’s a good tool for repeat offender cases, even if the offender 
> is a gang.
>
> I see Maiko also reminded us of what he’s added (which I’m ashamed to 
> admit, I forgot).  I need to add that to my config.  Defense in depth, 
> as the phrase goes.
>
> You can also perform rate limiting in iptables, both for an individual 
> IP and generally to protect against DOS and DDOS.  Rate limiting is 
> always tricky in the general sense because you can end up blocking 
> legitimate traffic.  But for a specific application like JNOS, where 
> you can probably define what type of connection activity you expect, 
> especially from non 44/8, you can certainly throttle it there.
>
> Lastly, I often use tcpdump, tshark, wireshark and/or additional 
> iptables logging to capture suspect, intermittent traffic.
>
> It’s sad that we have to expend so much time and effort to protect 
> ourselves.  But the bad guys are hard at work and getting trickier 
> every day.
>
> Michael
>
> N6MEF
>
> *From:*nos-bbs [mailto:nos-bbs-bounces at tapr.org] *On Behalf Of 
> *Gustavo Ponza
> *Sent:* Thursday, October 19, 2017 2:25 PM
> *To:* nos-bbs at tapr.org
> *Subject:* Re: [nos-bbs] Jnos memory leak with forwarding
>
> Michael and all,
>
> for what concerning the JNOS the problem is subtle, namely
> do not appear as the regular telnet connect, and so for me
> is almost impossible to register what really happens.
> I can register the traffic on 5 min basis and not more.
>
> I never used the fail2ban... but I think it go maid since
> when you block an IP/Hostname the attacker switch to an
> other identity.
>

-- 
73 and ciao, gus i0ojj/ir0aab
A proud member of linux team
Quidquid latine dictum sit, altum videtur

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.tapr.org/pipermail/nos-bbs_lists.tapr.org/attachments/20171020/8b8c70e7/attachment.html>

More information about the nos-bbs mailing list