I implemented a filter policy on the 3430 firewall to drop connections that are trying brute force attacks on our servers. Even though I can block by subnet I was wondering if it would be possible to do it by domain instead. I know we should not expect any connections from .cn, .ru, .il, etc and it would be much easier to block at that level then waiting until a new attack from a new network in .cn shows up so we can block it.
Thanks.
-Marco
It isn't really practical to do it by domain, and rDNS can be easily manipulated. You can get some results by blocking by origin AS if you are connected by BGP with at least one full table, and also filter large IP blocks if not.
Also consider fail2ban on your servers. http://http://en.wikipedia.org/wiki/Fail2ban
It isn't really practical to do it by domain, and rDNS can be easily manipulated. You can get some results by blocking by origin AS if you are connected by BGP with at least one full table, and also filter large IP blocks if not.
Also consider fail2ban on your servers. http://http://en.wikipedia.org/wiki/Fail2ban
Jayh, thanks for the feedback. I will look into fail2ban.