On 24 February 2015 at 05:46, Hubert Kario <hkario@redhat.com> wrote:
On Tuesday 24 February 2015 13:08:46 Tomas Mraz wrote:
> On Út, 2015-02-24 at 12:32 +0100, Hubert Kario wrote:

> > rate limiting and denyhosts have no impact what so ever when the attacker
> > has a botnet to his disposal
>
> Large botnet means that the attack is targeted. I do not think we can
> prevent targeted attack against weak password in the default
> configuration. What we should aim at is prevention of non-targeted
> attacks such as attacks you can see when you open ssh port on a public
> IP almost immediately. These attacks usually come from single IP
> address.

Not necessarily, I've seen both - where an IP did try just 2 or 3
password/user combinations and ones that did try dozens.

Having access to botnet is not uncommon or expensive, making it possible for
"bored student" kind of targeted attacks. You can do low level of such an
attack with just EC2.

I'm not saying that we shouldn't have rate limiting, but it shouldn't be the
only thing above simple dictionary check.


That matches what I am seeing with a couple of random servers I have out there. The number of attacks where IP address one is doing 

apple:apple
apple:123456
apple:trustn01
apple:...
bob:bob
bob:123456
bob:trustn01
bob:password

where if box A is blocked a new ip address starts up exactly where the first one stopped is much more common now than it was say 2 years ago and it will keep going until 50-60 boxes are rotated through. 

--
Stephen J Smoogen.