On 1/8/19 7:56 PM, Jon Elson via cctalk wrote:
Interesting observation I made a few years ago. I run a web store, and
was being inundated with ssh login attempts. About 1000/day! I decided
this was serious, they'd eventually get lucky.
It's really hard for them to get lucky if you don't allow password based
authentication. ;-)
It's also even harder for them to get lucky if you move your SSH daemon
to an alternate port and / or put it behind port knocking / single
packet authorization. }:-)
So, searching available software, I found denyhosts. It checks the logs
for login failures, and after a set threshold, it puts the source IP
into the hosts.deny list, and your machine effectively disappears from
that source IP's view.
Yes and no. DenyHosts is a useful tool. But hosts.deny / hosts.allow
is TCP Wrappers. Your services needs to both support and be configured
to use TCP Wrappers. Not everything is compiled with support for, or
configured to use, TCP Wrappers.
I personally prefer to add reject route and enable reverse path
filtering. That operates at a lower level and protects EVERYTHING on
the system without requiring any feature, like TCP Wrappers.
I set the rules very strictly, so that after 3 login failures over a 2
month span, that IP was blocked for a year. Something very interesting
happened.
I think that your rule logic could just as easily be applied to reject
routes.
The number of attempts did not diminish immediately, as the botnets had
a large number of compromised machines. But, suddenly, two weeks to the
EXACT HOUR when I set up denyhosts, the attacks dropped from 1000/day to
3! Just like flipping a switch!
Intriguing.
So, these hackers have a dark net list somewhere where they trade IP
addresses of machines they would like to hack, and what they can figure
out about the security measures implemented on them. When they have
demonstrated by coordinated attempts that your lockout horizon is over
two weeks, they put out the word that your site is not going to bear
any fruit.
Yep. Black hats communicate with each other just like white hats do.
Of course, it could have been one bot-net & bot-herder too. I've heard
tell of bots that 300,000 bots.
I currently have 9000-some blocked IPs in hosts.deny, I wonder how much
that slows down my store.
I doubt much at all.
(Assuming that your web server supports and is using TCP Wrappers.)
Ugh, the stuff we are forced to go through.
Yep. Oy Vey comes to mind.
--
Grant. . . .
unix || die
