On 12/03/2008 09:02 PM, Steve wrote: > I've recently discovered a curious pattern emerging in my system log > with failed login attempts via ssh. > > I'm not particularly concerned - since I'm confident that all my users > have strong passwords... but it strikes me that this data identifies a > bot-net that is clearly malicious attempting to break passwords. > > Sure, I could use IPtables to block all these bad ports... or... I could > disable password authentication entirely... but I keep thinking that > there has to be something better I can do... any suggestions? Is there > a simple way to integrate a block-list of known-compromised hosts into > IPtables - rather like my postfix is configured to drop connections from > known spam sources from the sbl-xbl.spamhaus.org DNS block list, for > example.
I just don't see what blocking ssh-bruteforce attempts should be good for, at least on a server where few _users_ are active. The chance that security of a well configured system will be compromised by that is next to zero, and on recent systems it is also impossible to cause significant load with ssh-login-attempts. Also, things like fail2ban add new attack-possibilities to a system, I remember the old DoS for fail2ban, resulting from a wrong regex in log file parsing, but I think at least this is fixed now. Regards, Christian Franke
signature.asc
Description: OpenPGP digital signature
