[Firehol-support] Re: Integrating ipt_recent with FireHOL
carlos.efr at mail.telepac.pt
Thu Nov 10 23:39:29 GMT 2005
Allen Smith wrote:
> This kind of thing might be better handled with something like denyhosts.
> Instead of firewalling off the offending hosts which alerts them to switch the
> attacking process to another zombie under their control, it adds the IP
> address to deny.hosts so they keep trying and even if they successfully get a
> username/password combo, ssh will keep giving them permission denied. As far
> as they are concerned, they failed to bruteforce.
I personally don't like that approach for several reasons: it requires
extra software, it works by going through the logs periodically, and it
has to be running in every machine.
But the main problem with these SSH attacks isn't the security issue (if
you only use SSH to admininister machines, disallow root to login, limit
who can login with "AllowUsers", and have moderately good passwords, the
changes of a break-in are slim), it is the log pollution. Modifying
"deny.users" does nothing to stop that, and it does nothing to stop the
back-to-back spawning of "sshd" processes while the attack is going on.
The ipt_recent solution acts immediately, and it completely ignores the
attacker (if it waits for the TCP timeout it will slow it down
considerably, that's why they just move on if ignored for a few seconds
- many addresses to probe, no time to wait). And it doesn't require
additional software. But more important than that, it acts globally: the
attacker starts pounding one machine in my subnet and gets ignored, thus
moving on to the next machine (notice that they probe addresses for
listening ssh daemons a good half-hour before they start sweeping them)
where it keeps being ignored, until (ideally) there are no more machines.
More information about the Firehol-support