| 1 |
On 12/03/2008 09:02 PM, Steve wrote: |
| 2 |
> I've recently discovered a curious pattern emerging in my system log |
| 3 |
> with failed login attempts via ssh. |
| 4 |
> |
| 5 |
> I'm not particularly concerned - since I'm confident that all my users |
| 6 |
> have strong passwords... but it strikes me that this data identifies a |
| 7 |
> bot-net that is clearly malicious attempting to break passwords. |
| 8 |
> |
| 9 |
> Sure, I could use IPtables to block all these bad ports... or... I could |
| 10 |
> disable password authentication entirely... but I keep thinking that |
| 11 |
> there has to be something better I can do... any suggestions? Is there |
| 12 |
> a simple way to integrate a block-list of known-compromised hosts into |
| 13 |
> IPtables - rather like my postfix is configured to drop connections from |
| 14 |
> known spam sources from the sbl-xbl.spamhaus.org DNS block list, for |
| 15 |
> example. |
| 16 |
|
| 17 |
I just don't see what blocking ssh-bruteforce attempts should be good |
| 18 |
for, at least on a server where few _users_ are active. |
| 19 |
|
| 20 |
The chance that security of a well configured system will be compromised |
| 21 |
by that is next to zero, and on recent systems it is also impossible to |
| 22 |
cause significant load with ssh-login-attempts. |
| 23 |
|
| 24 |
Also, things like fail2ban add new attack-possibilities to a system, I |
| 25 |
remember the old DoS for fail2ban, resulting from a wrong regex in log |
| 26 |
file parsing, but I think at least this is fixed now. |
| 27 |
|
| 28 |
Regards, |
| 29 |
Christian Franke |
Archives