On Tue 09/Dec/2025 18:11:49 +0100 Jaroslaw Rafa wrote:
Dnia 9.12.2025 o godz. 12:11:34 Alessandro Vesely via mailop pisze:
First came 50.171.64.170, on the 7th around noon UTC. It had made
590 login attempts to this server since March 2024, using both
existing and non-existent accounts. This time, it succeeded; it
seems possible, given that the password was trivial.
If the IP has already made 590 login attempts to your server for such a long
time, why hasn't it been already permanently blocked on your server long
ago?
Good question.
I assign a probability of being blocked and a decay (half-life). It is
difficult to determine if the attempt is legit, so the decay is quite short.
On further attempts the probability doubles, and the initial probability is
such that three consecutive attempts cause it to reach 100%.
To avoid blocking users, I set the decay to 6 hours.
At the end of day, I delete failed attempts from legitimately used IPs in the
last 30 days. However, this deletion is unreliable, and some legit IPs remain
registered and decay to 0 probability. The end-of-day is also when I check for
bad IPs. I should now change this process to increase the decay of bad IPs,
not just flag them. I think it's better than counting the failed attempts.
Best
Ale
--
_______________________________________________
mailop mailing list
[email protected]
https://list.mailop.org/listinfo/mailop
