[Firehol-support] Re: Integrating ipt_recent with FireHOL

Redeeman redeeman at metanurb.dk
Fri Nov 11 00:00:06 GMT 2005

On Thu, 2005-11-10 at 23:39 +0000, Carlos Rodrigues wrote:
> Allen Smith wrote:
> > This kind of thing might be better handled with something like denyhosts.
> > 
> > http://denyhosts.sourceforge.net/
> > 
> > Instead of firewalling off the offending hosts which alerts them to switch the 
> > attacking process to another zombie under their control, it adds the IP 
> > address to deny.hosts so they keep trying and even if they successfully get a 
> > username/password combo, ssh will keep giving them permission denied. As far 
> > as they are concerned, they failed to bruteforce.
> I personally don't like that approach for several reasons: it requires 
> extra software, it works by going through the logs periodically, and it 
> has to be running in every machine.
> But the main problem with these SSH attacks isn't the security issue (if 
> you only use SSH to admininister machines, disallow root to login, limit 
> who can login with "AllowUsers", and have moderately good passwords, the 
> changes of a break-in are slim), it is the log pollution. Modifying 
> "deny.users" does nothing to stop that, and it does nothing to stop the 
> back-to-back spawning of "sshd" processes while the attack is going on.
> The ipt_recent solution acts immediately, and it completely ignores the 
> attacker (if it waits for the TCP timeout it will slow it down 
> considerably, that's why they just move on if ignored for a few seconds 
> - many addresses to probe, no time to wait). And it doesn't require 
> additional software. But more important than that, it acts globally: the 
> attacker starts pounding one machine in my subnet and gets ignored, thus 
> moving on to the next machine (notice that they probe addresses for 
> listening ssh daemons a good half-hour before they start sweeping them) 
> where it keeps being ignored, until (ideally) there are no more machines.
i completely agree

> Carlos Rodrigues
> -------------------------------------------------------
> SF.Net email is sponsored by:
> Tame your development challenges with Apache's Geronimo App Server. Download
> it for free - -and be entered to win a 42" plasma tv or your very own
> Sony(tm)PSP.  Click here to play: http://sourceforge.net/geronimo.php
> _______________________________________________
> Firehol-support mailing list
> Firehol-support at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/firehol-support

More information about the Firehol-support mailing list