At 12:15 PM +0100 12/4/09, Sjors Gielen sent email regarding Re: [Denyhosts-user] Distributed Botnet Attacks: >Op 4 dec 2009, om 06:12 heeft Marconi het volgende geschreven: >> >>Admittedly, it would be a big job to collect data from multiple >>attacked hosts. It would result in far more data than just those >>blocked IPs sent in via synch mode currently. The collection point >>would have to track each reported IP and, at some predetermined >>trigger count, add that IP to the normal Denyhosts synch list. >> >>Sound feasible? Discuss! > >I don't think, also, many administrators would want to send all >their data to the sync servers. They may think it's a privacy issue, >considering they would have to send every IP that fails to login,
It would not be necessary to send all failed log-ins to the synch servers. Most of the attempts are likely to be to accounts that do not exist on any given server. No need to report the failed log-ins for names of actual users. Just report the attempts for users that do NOT exist and you can be sure that, 99% of the time, it's a probe and not a user mistyping a log-in ID. How many (attacked) hosts would have to report an IP as attempting to log into a non-existent account before you'd know for certain that the IP is compromised? I don't know how many Denyhosts users there are, but I suspect that, if we all reported failed oog-ins for non-existent users, we'd catch these DDAs at a pretty early stage. ------------------------------------------------------------------------------ Join us December 9, 2009 for the Red Hat Virtual Experience, a free event focused on virtualization and cloud computing. Attend in-depth sessions from your desk. Your couch. Anywhere. http://p.sf.net/sfu/redhat-sfdev2dev _______________________________________________ Denyhosts-user mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/denyhosts-user
