<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
Hi Michael,<br>
<br>
TNX for this on deep explanation. Hope to study the fail2ban<br>
as soon the time permit.<br>
<br>
However Maiko made a great job on this 'tcp access' and<br>
'blacklist' features and I'm confident that almost many<br>
if not all accesses should be banned :)<br>
<br>
73, gus<br>
<br>
<div class="moz-cite-prefix">On 10/20/2017 01:54 AM, Michael Fox -
N6MEF wrote:<br>
</div>
<blockquote type="cite"
cite="mid:023301d34935$8d4e0030$a7ea0090$@mefox.org">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered
medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
color:black;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0in;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";
color:black;}
tt
{mso-style-priority:99;
font-family:"Courier New";}
p.msonormal0, li.msonormal0, div.msonormal0
{mso-style-name:msonormal;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
color:black;}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Consolas;
color:black;}
span.EmailStyle21
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal"><span style="color:#1F497D">Hi Gus,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">Yes, well
fail2ban does help even in the case of an attacker switching
machines, because (at least as I’ve seen), they may have a
dozen or two dozen machines that they rotate amongst and
fail2ban takes care of keeping track of them. With
judicious selection of the timers/counters, you can catch a
lot. It can’t solve every problem, but it’s a good tool for
repeat offender cases, even if the offender is a gang. <o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">I see Maiko
also reminded us of what he’s added (which I’m ashamed to
admit, I forgot). I need to add that to my config. Defense
in depth, as the phrase goes.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">You can also
perform rate limiting in iptables, both for an individual IP
and generally to protect against DOS and DDOS. Rate
limiting is always tricky in the general sense because you
can end up blocking legitimate traffic. But for a specific
application like JNOS, where you can probably define what
type of connection activity you expect, especially from non
44/8, you can certainly throttle it there. <o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">Lastly, I often
use tcpdump, tshark, wireshark and/or additional iptables
logging to capture suspect, intermittent traffic.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">It’s sad that
we have to expend so much time and effort to protect
ourselves. But the bad guys are hard at work and getting
trickier every day.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">Michael<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">N6MEF <o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<div style="border:none;border-left:solid blue 1.5pt;padding:0in
0in 0in 4.0pt">
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="color:windowtext">From:</span></b><span
style="color:windowtext"> nos-bbs
[<a class="moz-txt-link-freetext" href="mailto:nos-bbs-bounces@tapr.org">mailto:nos-bbs-bounces@tapr.org</a>] <b>On Behalf Of </b>Gustavo
Ponza<br>
<b>Sent:</b> Thursday, October 19, 2017 2:25 PM<br>
<b>To:</b> <a class="moz-txt-link-abbreviated" href="mailto:nos-bbs@tapr.org">nos-bbs@tapr.org</a><br>
<b>Subject:</b> Re: [nos-bbs] Jnos memory leak with
forwarding<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><tt><span
style="font-size:10.0pt">Michael and all,</span></tt><span
style="font-size:10.0pt;font-family:"Courier
New""><br>
<br>
<tt>for what concerning the JNOS the problem is subtle,
namely</tt><br>
<tt>do not appear as the regular telnet connect, and so
for me</tt><br>
<tt>is almost impossible to register what really happens.</tt><br>
<tt>I can register the traffic on 5 min basis and not
more.</tt><br>
<br>
<tt>I never used the fail2ban... but I think it go maid
since</tt><br>
<tt>when you block an IP/Hostname the attacker switch to
an</tt><br>
<tt>other identity. </tt></span></p>
</div>
</div>
</blockquote>
<br>
<pre class="moz-signature" cols="72">--
73 and ciao, gus i0ojj/ir0aab
A proud member of linux team
Quidquid latine dictum sit, altum videtur
</pre>
</body>
</html>