Distributed SSH attack

Jukka Ruohonen jruohonen at iki.fi
Sat Oct 3 08:37:51 UTC 2009

On Fri, Oct 02, 2009 at 05:17:59PM -0400, Greg Larkin wrote:
> You could set up DenyHosts and contribute to the pool of IPs that are
> attempting SSH logins on the Net:
> http://denyhosts.sourceforge.net/faq.html#4_0

While I am well aware that a lot of people use DenyHosts or some equivalent
tool, I've always been somewhat skeptical about these tools. Few issues:

1. Firewalls should generally be as static as is possible. There is a reason
   why high securelevel prevents modifications to firewalls.

2. Generally you do not want some parser to modify your firewall rules. 
   Parsing log entries created by remote unauthenticated users as root is
   never a good idea.

3. Doing (2) increases the attack surface.

4. There have been well-documented cases where (3) has opened opportunities
   for both remote and local DoS.

Two cents, as they say,


More information about the freebsd-hackers mailing list