Petter Reinholdtsen <[email protected]> writes: > Hi. > > On all my machines, I install denyhosts with a two hour timeout > (DAEMON_PURGE = 2h), to block those trying to brute force a ssh login. > Should we do something similar on the Freedombox? > > In addition to denyhosts (which only handle ssh), there are other > relevant packages in Debian: > > libpam-shield - locks out remote attackers trying password guessing > libpam-abl - blocks hosts which are attempting a brute force attack
fail2ban The trouble with this approach is that an attacker can always widen their net, trying passwords against _many_ hosts, so that they only come back to any particular host after a decent interval. If they're smart they'll be using a lot of source addresses (a bot-net, say) and they'll be able to work out quite quickly what the parameters are for you to ban them, and aim just under the RADAR. So, what you're doing is blocking only the less dangerous attackers while giving yourself a nice warm glow. One would be a lot better off disabling passwords, or if that's not possible, a spot of security though obscurity[1] can deal with almost all the people that would be stopped by fail2ban or the like. Cheers, Phil. [1] I was thinking things like: Running ssh on a non-standard port Requiring some other mechanism, such as a port-knock or a login to the web interface in order to grant a temporary ability to use passwords from your IP address. which will stop most random attacks from even establishing a connection. Of course, all these tend to require a bit more of the user to get it to work, which mean that it's out of the question for FreedomBox. :-/ Cheers, Phil. -- |)| Philip Hands [+44 (0)20 8530 9560] http://www.hands.com/ |-| HANDS.COM Ltd. http://ftp.uk.debian.org/ |(| 10 Onslow Gardens, South Woodford, London E18 1NE ENGLAND
pgpS0peSMsSWZ.pgp
Description: PGP signature
_______________________________________________ Freedombox-discuss mailing list [email protected] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/freedombox-discuss
