[nos-bbs] Jnos memory leak with forwarding
g.ponza at tin.it
Fri Oct 20 03:58:27 EDT 2017
TNX for this on deep explanation. Hope to study the fail2ban
as soon the time permit.
However Maiko made a great job on this 'tcp access' and
'blacklist' features and I'm confident that almost many
if not all accesses should be banned :)
On 10/20/2017 01:54 AM, Michael Fox - N6MEF wrote:
> Hi Gus,
> Yes, well fail2ban does help even in the case of an attacker switching
> machines, because (at least as I’ve seen), they may have a dozen or
> two dozen machines that they rotate amongst and fail2ban takes care of
> keeping track of them. With judicious selection of the
> timers/counters, you can catch a lot. It can’t solve every problem,
> but it’s a good tool for repeat offender cases, even if the offender
> is a gang.
> I see Maiko also reminded us of what he’s added (which I’m ashamed to
> admit, I forgot). I need to add that to my config. Defense in depth,
> as the phrase goes.
> You can also perform rate limiting in iptables, both for an individual
> IP and generally to protect against DOS and DDOS. Rate limiting is
> always tricky in the general sense because you can end up blocking
> legitimate traffic. But for a specific application like JNOS, where
> you can probably define what type of connection activity you expect,
> especially from non 44/8, you can certainly throttle it there.
> Lastly, I often use tcpdump, tshark, wireshark and/or additional
> iptables logging to capture suspect, intermittent traffic.
> It’s sad that we have to expend so much time and effort to protect
> ourselves. But the bad guys are hard at work and getting trickier
> every day.
> *From:*nos-bbs [mailto:nos-bbs-bounces at tapr.org] *On Behalf Of
> *Gustavo Ponza
> *Sent:* Thursday, October 19, 2017 2:25 PM
> *To:* nos-bbs at tapr.org
> *Subject:* Re: [nos-bbs] Jnos memory leak with forwarding
> Michael and all,
> for what concerning the JNOS the problem is subtle, namely
> do not appear as the regular telnet connect, and so for me
> is almost impossible to register what really happens.
> I can register the traffic on 5 min basis and not more.
> I never used the fail2ban... but I think it go maid since
> when you block an IP/Hostname the attacker switch to an
> other identity.
73 and ciao, gus i0ojj/ir0aab
A proud member of linux team
Quidquid latine dictum sit, altum videtur
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the nos-bbs