On 1/8/19 7:56 PM, Jon Elson via cctalk wrote:
Interesting observation I made a few years ago.  I run a web store, and was being inundated with ssh login attempts. About 1000/day!  I decided this was serious, they'd eventually get lucky.

It's really hard for them to get lucky if you don't allow password based authentication. ;-)

It's also even harder for them to get lucky if you move your SSH daemon to an alternate port and / or put it behind port knocking / single packet authorization. }:-)

So, searching available software, I found denyhosts.  It checks the logs for login failures, and after a set threshold, it puts the source IP into the hosts.deny list, and your machine effectively disappears from that source IP's view.

Yes and no. DenyHosts is a useful tool. But hosts.deny / hosts.allow is TCP Wrappers. Your services needs to both support and be configured to use TCP Wrappers. Not everything is compiled with support for, or configured to use, TCP Wrappers.

I personally prefer to add reject route and enable reverse path filtering. That operates at a lower level and protects EVERYTHING on the system without requiring any feature, like TCP Wrappers.

I set the rules very strictly, so that after 3 login failures over a 2 month span, that IP was blocked for a year. Something very interesting happened.

I think that your rule logic could just as easily be applied to reject routes.

The number of attempts did not diminish immediately, as the botnets had a large number of compromised machines.  But, suddenly, two weeks to the EXACT HOUR when I set up denyhosts, the attacks dropped from 1000/day to 3!  Just like flipping a switch!

Intriguing.

So, these hackers have a dark net list somewhere where they trade IP addresses of machines they would like to hack, and what they can figure out about the security measures implemented on them. When they have demonstrated by coordinated attempts that your lockout horizon is over two weeks, they put out the word that your site is not going to bear any fruit.

Yep.  Black hats communicate with each other just like white hats do.

Of course, it could have been one bot-net & bot-herder too. I've heard tell of bots that 300,000 bots.

I currently have 9000-some blocked IPs in hosts.deny, I wonder how much that slows down my store.

I doubt much at all.

(Assuming that your web server supports and is using TCP Wrappers.)

Ugh, the stuff we are forced to go through.

Yep.  Oy Vey comes to mind.



--
Grant. . . .
unix || die

Reply via email to