On Tue, Dec 05, 2006 at 12:30:40PM -0700, Andy Ruhl wrote:
> But the part of my question that I really want an answer to is, when I
> find some bot hitting my web server, is it best to block it by raw IP,
> fqdn, or just the domain? How do I make this decision? Seems like raw
> [...]
> change at any time. If I block the entire domain, I don't anticipate
> these guys being back, but I'm blocking things pretty broadly at that

I think this is a decision you'll have to make on your own.  Each
person will have their own level of "paranoia".

Besides foul robots, I also log worm and cracker access.  Because of that,
I can't block individual IPs.  If I did, there would be quite literally
thousands in my ipf.conf file.  What I do is block the entire 'B' class if
I get more than 10 unique IPs from the same domain, and block the 'C' class
if I get more than 2.  Even then, after only about two years of doing this
my ipf.conf file has grown too large.  I think now what I need to do is
date them, and start culling some of the older ones.

I wonder how these guys get the address for the web server in the first
place.  Within a few days of starting up the server, before I had told
anyone of the site's name, there were people trying to access it.  In your
case it's not even on port 80.  Mystery.

> Advice?

Oh, always. :)  Good luck.

-- 
henry nelson
  WWW_HOME=http://yuba(dot)ne(dot)jp/(tilde)home/