[Philip Hands] > The trouble with this approach is that an attacker can always widen > their net, trying passwords against _many_ hosts, so that they only > come back to any particular host after a decent interval. If > they're smart they'll be using a lot of source addresses (a bot-net, > say) and they'll be able to work out quite quickly what the > parameters are for you to ban them, and aim just under the RADAR. > > So, what you're doing is blocking only the less dangerous attackers > while giving yourself a nice warm glow.
Absolutely, and such slow under the RADAR scanning is going on, as can be seen from <URL: http://bsdly.blogspot.no/search/label/Hail%20Mary%20Cloud >. But the net gain of blocking some (even less dangerous) attackers is as I see it read it is very real, and worth it if the setup is easy and the negative consequences are small. So far these alternatives for doing that are identified: iptables / ufw rules libpam-shield - locks out remote attackers trying password guessing libpam-abl - blocks hosts which are attempting a brute force attack fail2ban - ban hosts that cause multiple authentication errors (*) denyhosts - Utility to help sys admins thwart SSH crackers (*) denyhosts is removed from unstable and testing, and not really a good option for us. I'm not sure which one of these are the best option. A PAM based solution seem more flexible and able to handle many protocols, but which of the two are fit for the task? -- Happy hacking Petter Reinholdtsen _______________________________________________ Freedombox-discuss mailing list [email protected] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/freedombox-discuss
