Distributed SSH attack
Jukka Ruohonen
jruohonen at iki.fi
Sat Oct 3 08:37:51 UTC 2009
On Fri, Oct 02, 2009 at 05:17:59PM -0400, Greg Larkin wrote:
> You could set up DenyHosts and contribute to the pool of IPs that are
> attempting SSH logins on the Net:
> http://denyhosts.sourceforge.net/faq.html#4_0
While I am well aware that a lot of people use DenyHosts or some equivalent
tool, I've always been somewhat skeptical about these tools. Few issues:
1. Firewalls should generally be as static as is possible. There is a reason
why high securelevel prevents modifications to firewalls.
2. Generally you do not want some parser to modify your firewall rules.
Parsing log entries created by remote unauthenticated users as root is
never a good idea.
3. Doing (2) increases the attack surface.
4. There have been well-documented cases where (3) has opened opportunities
for both remote and local DoS.
Two cents, as they say,
Jukka.
More information about the freebsd-hackers
mailing list