<div dir="ltr"><br><div class="gmail_extra"><br><div class="gmail_quote">On 24 February 2015 at 05:46, Hubert Kario <span dir="ltr"><<a href="mailto:hkario@redhat.com" target="_blank">hkario@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="HOEnZb"><div class="h5">On Tuesday 24 February 2015 13:08:46 Tomas Mraz wrote:<br>
> On Út, 2015-02-24 at 12:32 +0100, Hubert Kario wrote:<br><br>
> > rate limiting and denyhosts have no impact what so ever when the attacker<br>
> > has a botnet to his disposal<br>
><br>
> Large botnet means that the attack is targeted. I do not think we can<br>
> prevent targeted attack against weak password in the default<br>
> configuration. What we should aim at is prevention of non-targeted<br>
> attacks such as attacks you can see when you open ssh port on a public<br>
> IP almost immediately. These attacks usually come from single IP<br>
> address.<br>
<br>
</div></div>Not necessarily, I've seen both - where an IP did try just 2 or 3<br>
password/user combinations and ones that did try dozens.<br>
<br>
Having access to botnet is not uncommon or expensive, making it possible for<br>
"bored student" kind of targeted attacks. You can do low level of such an<br>
attack with just EC2.<br>
<br>
I'm not saying that we shouldn't have rate limiting, but it shouldn't be the<br>
only thing above simple dictionary check.<br>
<div class="HOEnZb"><div class="h5"><br></div></div></blockquote><div><br></div><div>That matches what I am seeing with a couple of random servers I have out there. The number of attacks where IP address one is doing </div><div><br></div><div>apple:apple</div><div>apple:123456</div><div>apple:trustn01</div><div>apple:...</div><div>bob:bob</div><div>bob:123456</div><div>bob:trustn01</div><div>bob:password</div><div><br></div><div>where if box A is blocked a new ip address starts up exactly where the first one stopped is much more common now than it was say 2 years ago and it will keep going until 50-60 boxes are rotated through. </div><div><br></div></div>-- <br><div class="gmail_signature"><div dir="ltr">Stephen J Smoogen.<br><br></div></div>
</div></div>