On Dec 5, 2006, at 4:48 PM, Henry Nelson wrote:

> Besides foul robots, I also log worm and cracker access.  Because  
> of that,
> I can't block individual IPs.  If I did, there would be quite  
> literally
> thousands in my ipf.conf file.  What I do is block the entire 'B'  
> class if
> I get more than 10 unique IPs from the same domain, and block the  
> 'C' class
> if I get more than 2.  Even then, after only about two years of  
> doing this
> my ipf.conf file has grown too large.  I think now what I need to  
> do is
> date them, and start culling some of the older ones.

I'm certainly no guru but a couple of notes I've found useful:

Alex Pelts on port-cobalt Sept 12 2006 had an observation about port  
22 access attempts, spawning "sleep 20" seconds in hosts.deny made  
all? hack attempts time out while not harming legit users (whose ssh  
clients waited longer than the delay).   Not necessarily a solution  
for all, but useful for some with light use, I'd guess.  I know I'm  
using it, although I only have port 22 open for a few users.

The DenyHosts script is handy and has some predictive power if you  
use the new(ish) networked database of attacking/compromised hosts.
http://denyhosts.sourceforge.net/

Brian