[Firehol-support] Re: Integrating ipt_recent with FireHOL

[Carlos Rodrigues]

Allen Smith wrote:
> This kind of thing might be better handled with something like denyhosts.
> 
> http://denyhosts.sourceforge.net/
> 
> Instead of firewalling off the offending hosts which alerts them to switch the 
> attacking process to another zombie under their control, it adds the IP 
> address to deny.hosts so they keep trying and even if they successfully get a 
> username/password combo, ssh will keep giving them permission denied. As far 
> as they are concerned, they failed to bruteforce.

I personally don't like that approach for several reasons: it requires 
extra software, it works by going through the logs periodically, and it 
has to be running in every machine.

But the main problem with these SSH attacks isn't the security issue (if 
you only use SSH to admininister machines, disallow root to login, limit 
who can login with "AllowUsers", and have moderately good passwords, the 
changes of a break-in are slim), it is the log pollution. Modifying 
"deny.users" does nothing to stop that, and it does nothing to stop the 
back-to-back spawning of "sshd" processes while the attack is going on.

The ipt_recent solution acts immediately, and it completely ignores the 
attacker (if it waits for the TCP timeout it will slow it down 
considerably, that's why they just move on if ignored for a few seconds 
- many addresses to probe, no time to wait). And it doesn't require 
additional software. But more important than that, it acts globally: the 
attacker starts pounding one machine in my subnet and gets ignored, thus 
moving on to the next machine (notice that they probe addresses for 
listening ssh daemons a good half-hour before they start sweeping them) 
where it keeps being ignored, until (ideally) there are no more machines.

Carlos Rodrigues