advwebsys
Forum Replies Created
-
hi –
been away for a bit, but earlier today, i noticed another ‘incident’. this time there were 145 connections open to noc3. from the time i discovered this until all the connections were closed was over 10 minutes.
so here’s what i don’t understand – and i HATE not understanding things – assuming there’s a brute force attack on a site, once this is recognized, why would it not take a single connection to your service to say “this ip is a bad guy?”
on another note – we use iptables to block ips (and sometimes whole networks or subnets) which participate in attempting to connect via ftp or ssh.
do you think an option in wordfence to add these ip addresses to iptables makes sense? if the option were turned on, the server that initially finds the attacker notifies you, then adds the offending ip into iptables. when you broadcast the ip to other users, if they have the option to use iptables, then you add that ip into their iptables rule set.
of course, one would need to implement an iptables-save call and the system admin would need to issue an iptables-restore on a reboot.
the nice thing is the packets get dropped immediately upon receipt (less work for mother).
just my 2 cents <grin>.
tim – i been doing linux admin for close to 20 years now, so while a appreciate your post, i know this stuff. the question is not ‘why time-wait’, but why so many connections were open.
tim – the implication of what you said is that all the wp sites on my server should have open connections to noc3 awaiting new ip addresses to be blocked.
but, it clearly doesn’t work that way as the connections disappeared after about (i think) 15 minutes.
if the blocking info was passed in real time, wouldn’t you be pushing to me? the netstat listing clearly shows that we opened random ports (in the 52000) range and connected to noc3 on port 9050.
i guess i just don’t understand how the mechanism works….