I love IP Tables....
jdow
jdow at earthlink.net
Mon May 28 00:39:59 UTC 2007
From: "Tom Rivers" <tom at impact-crater.com>
> On Sat, 2007-05-26 at 13:16 -0700, Wolfgang S. Rupprecht wrote:
>> Such programs help you save the CPU time of sshd answering the
>> connection from a single abusive host, but would do little against a
>> distributed botnet attack. Luckily botnets aren't really used against
>> sshd yet, but it they were you'd potentially be seeing distributed
>> guessing attacks from 10,000 different hosts. If they all took turns
>> to guess a single password in round-robin fashion, the filters would
>> never trip.
>
> You're right. What do you recommend to protect against this sort of
> attack?
You could detect a large number of ssh failures total within a short
period of time and lock out ssh altogether for a period of seconds. That
would be a use for your script. Of course, it would leave you stuck with
a DoS condition. Now, if you figure out how to do it you open a second
ssh daemon on a different port you know but is randomly numbered. So if
you are DoSed out of the box you go to the security through obscurity
port that's been opened up. (Of course, that port should have the same
rules as the primary ssh port.)
{^_^}
More information about the users
mailing list