1 |
On 12/03/2008 09:02 PM, Steve wrote: |
2 |
> I've recently discovered a curious pattern emerging in my system log |
3 |
> with failed login attempts via ssh. |
4 |
> |
5 |
> I'm not particularly concerned - since I'm confident that all my users |
6 |
> have strong passwords... but it strikes me that this data identifies a |
7 |
> bot-net that is clearly malicious attempting to break passwords. |
8 |
> |
9 |
> Sure, I could use IPtables to block all these bad ports... or... I could |
10 |
> disable password authentication entirely... but I keep thinking that |
11 |
> there has to be something better I can do... any suggestions? Is there |
12 |
> a simple way to integrate a block-list of known-compromised hosts into |
13 |
> IPtables - rather like my postfix is configured to drop connections from |
14 |
> known spam sources from the sbl-xbl.spamhaus.org DNS block list, for |
15 |
> example. |
16 |
|
17 |
I just don't see what blocking ssh-bruteforce attempts should be good |
18 |
for, at least on a server where few _users_ are active. |
19 |
|
20 |
The chance that security of a well configured system will be compromised |
21 |
by that is next to zero, and on recent systems it is also impossible to |
22 |
cause significant load with ssh-login-attempts. |
23 |
|
24 |
Also, things like fail2ban add new attack-possibilities to a system, I |
25 |
remember the old DoS for fail2ban, resulting from a wrong regex in log |
26 |
file parsing, but I think at least this is fixed now. |
27 |
|
28 |
Regards, |
29 |
Christian Franke |