Erik Norgaard wrote:
Leo L. Schwab wrote:
On Mon, Nov 13, 2006 at 09:16:35PM +0100, Erik Norgaard wrote:
Honestly, I wouldn't worry about it: review your config and make some
simple choices to reduce the noise, see this article:
http://www.securityfocus.com/infocus/1876
But I rather thought that was the point of 'bruteblock' -- it
reduces the noise by blackholing the offending IPs for an hour or so.
This
blackholing doesn't appear to be happening, and I don't understand why.
Could it be a permission problem -- syslog doesn't have permission
to change the firewall rules?
I wouldn't worry about "bruteblock" - try create a perl script and see
if you can see a system in the attacks: Do the same host come back? If
so does it continue from where it left?
The annoyance of these brute force attacks is that your log is larger
that it would be without them.
That is unless ofcourse you have made yourself vulnerable!
- do you use bad passwords?
- do you allow root login?
- have you disabled system accounts?
If the answers are no, no and yes, then you can largely ignore. For more
on this - read the linked article, read the old thread.
Cheers, Erik
jumping into this thread late, but denyhosts works great and also does a
distributed thing where, if you opt in, you can get updates from other
people who run denyhosts. These are then added to your deny list and if
your box is scanned the attempts will be blocked. think if it like a
spamhaus list for SSH brute force attacks. it works well.
in short:
1. use denyhosts
2. do not use password based authentication for ssh. rather, use keys
that are password protected
3. never allow root ssh logins
and everything should be swell
Eric
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
