[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: what do you do when you have attempted hacks in your logs



On Thu, Feb 24, 2005 at 01:01:19AM -0600, eric wrote:
> > > I always add the IP to my block list, but that's about it....
>   
> When do you remove it?

Most likely, never. If you are on my blacklist, you really had to work
at it. Hard. Although, I would consider large donations of cash and/or
beer :-)

> On Thu, 2005-02-24 at 01:02:30 -0500, Jeff Nelson proclaimed...
> 
> > That can never hurt. If I see an actual hack attempt, I would do the
> > same. However, as you gain confidence in the operating system's ability
> > to secure your network, as well as your ability to configure the system
> > for your needs, I believe what you now see as a "hack attempt", you will
> > merely consider "noise".
> 
> It's problematic that people add malicious source addresses to these
> blacklists, but then never remove them.

Agreed.

> How do you know some NAT device isn't proxying 99% of "good" traffic
> and that 1% of bad traffic?

I don't know, nor do I care.

> Blacklists, IMHO, should be applied carefully and reviewed often.

Absolutely. That's why I only have 3 IP's in my blacklist.

> Else large portions of the Internet can't talk to each other 
> (if you're a large enough provider).

I am not even a "small" provider. An ISP would require a more flexible
policy. Obviously.

On my small network, I know who I want to talk to, and who I do not.

Have a great day!
-jeff