Walter wrote: > Aggelos Economopoulos wrote: >> Walter wrote: >>> I got curious about BSD (DragonFly, specifically) security and >>> wondered why there wasn't a security process that processed all >>> security-relevant error messages which could then be used to >>> block IPs, disable user accounts, and kill processes. >> >> Because >> a) such a mechanism could be used for DoS attacks on the system itself >> b) whether an error message is "security-relevant" is not something one >> can decide with a trivial heuristic >> c) most network services are 3rd-party software that we have no >> control over >> d)... > > I don't understand how blocking an IP that has had > a hundred failed login attempts in the last ten > minutes could create a DoS hole...
Because somebody might trick the system into blocking access for a valid IP, either via outright spoofing or by simply confusing the logfile parser that you are probably using (most of those were clumsy last time I looked, but keep in mind that the syslog format was intended for human consumption). > What if someone hacked an account and started trying > to gain root access? Aren't there ways to tell you've > got a hacker online before he/she compromises your > system? It seems like a good thing to know. Yet, as > I must admit, I have no idea what tools are in place > which might be used to gage this. The heuristics may > not be trivial, but could be developed... I was just > wondering why no one had tried it. Heuristics are mostly useful for admin convenience ("keeping the log files clean"), they are not a substitute for actual security measures. [...] > I just thought that I'd like a tool that once I got some > definable failed login attempts that I'd like the computer > to automatically shunt the source IP for a while. See above. FWIW (and as others have suggested already) I think disabling password logins and/or moving ssh to a different port is your best bet for this kind of problem. HTH, Aggelos