Previously on Full Disclosure: > ------------------------------ > > Message: 9 > Date: Fri, 2 Sep 2005 05:53:04 -0400 > From: "Pedro Hugo " <[EMAIL PROTECTED]> > Subject: Re: [Full-disclosure] SSH Bruteforce blocking script > To: <full-disclosure@lists.grok.org.uk> > Message-ID: <[EMAIL PROTECTED]> > Content-Type: text/plain; charset=us-ascii > > Hi, > >>I don't want to debate the goodness or badness of the strategy of >>blocking hosts like this in /etc/hosts.deny. It works perfectly for me, >>and most >>likely would for you, so no religious debates thanks. It's effective at >>blocking bruteforce attacks. If a host EXCEEDS a specified number of >>guesses >>during the (configurable) 30 seconds it takes the script to cycle, the >>host is blacklisted. >> > > Why are you doing this the wrong way ? You should whitelist hosts, instead > blacklisting them. > Unless you have administrative reasons for such decision, hosts.deny > should be set to ALL:ALL, and you should allow specifically in > hosts.allow. > This way everything is dropped by default. Tcpwrappers should be > configured the same way a firewall is, unless there is something against > it. > Even if you have customers who need remote access, adding a few ip's is > much better than having open by default. > Kind Regards, > Pedro Hugo > > Occasionally they do let, nay force, admins out of server closets, for health, or business, reasons.
Though I cannot speak for the OP directly, I submit that I travel often for business and cannot predict with any authority whether I am going to have a particular IP as a source with sufficient prescience to enter it into a whitelist before I leave. Between hotels and hosting organizations my IP varies radically, and due to their addressing and name assignment schemes, I may even not have a hostname choice (particularly a FQDN), so the static hostname option is out also (for hosts.allow). Since it is not acceptable for me to simply not have the ability to SSH into my servers when on the road, this is a solution that would work in part for me (though I have moved SSH to another port, it still receives "traffic" - just luckily not of the brute force login type as yet) and would potentially help out others in a similiar situation. -bp _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
