To be honest, this doesn't sound like a huge issue - if a single user/pass pair is being tried every 12 hours, the simplest defence will be to:
a) Not have guessable usernames; b) Not permit remote login as root; and c) Ensure passwords are not simple dictionary/hybrid words. This way, even if c) is not true (i.e. users are a bit daft and use simple passwords), it will take an infeasible amount of time for a dictionary attack to succeed - one guess every 12 hours, multiplied by the number of attempts it might take to succeed, and you're probably into the order of millennia! -- Peter SJF Bance http://www.minstrel.org.uk/ XMPP: [email protected] | AIM: GreyMinstrel MSN: [email protected] | ICQ: 254652398 On Fri, December 4, 2009 11:15, Sjors Gielen wrote: > > Op 4 dec 2009, om 06:12 heeft Marconi het volgende geschreven: > >> There was a recent discussion on the OS X Server list about the >> recent nature of Distributed Dictionary Attacks. It seems that >> attackers are getting around defenses like Denyhosts by attacking a >> huge number of hosts at once such that they try a user/pass on any >> given host only once every 12 hours or so. Between attempts on your >> host, any given attacker is busy attacking others -- also once in >> every 12 hours -- and works its way back to you. >> >> A DDA as described is able to make just as many attempts but so >> infrequently on any one host as to not exceed any reasonable limits >> we might set in Denyhosts. >> >> It seems to me that the way to defend against this is to aggregate >> data from as many (attacked) hosts as possible. If data from multiple >> attacked hosts showed that an IP address was in fact being used in a >> DDA, Synchronization mode could be used to block it even though it >> did not exceed any one host's triggers. >> >> Admittedly, it would be a big job to collect data from multiple >> attacked hosts. It would result in far more data than just those >> blocked IPs sent in via synch mode currently. The collection point >> would have to track each reported IP and, at some predetermined >> trigger count, add that IP to the normal Denyhosts synch list. >> >> Sound feasible? Discuss! > > I don't think, also, many administrators would want to send all their > data to the sync servers. They may think it's a privacy issue, > considering they would have to send every IP that fails to login, to > be known to others... But on the other hand, if DenyHosts is simply > made smarter to check for recurring IP's every x hours, they will just > increase the waiting time. I can see a problem where if you log in 30 > times a day and you fail to log in once a day because of typo's, you > get blocked... > > Sjors > > ------------------------------------------------------------------------------ > Join us December 9, 2009 for the Red Hat Virtual Experience, > a free event focused on virtualization and cloud computing. > Attend in-depth sessions from your desk. Your couch. Anywhere. > http://p.sf.net/sfu/redhat-sfdev2dev > _______________________________________________ > Denyhosts-user mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/denyhosts-user > ------------------------------------------------------------------------------ Join us December 9, 2009 for the Red Hat Virtual Experience, a free event focused on virtualization and cloud computing. Attend in-depth sessions from your desk. Your couch. Anywhere. http://p.sf.net/sfu/redhat-sfdev2dev _______________________________________________ Denyhosts-user mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/denyhosts-user
