Distributed SSH attack

Bob Bishop rb at gid.co.uk
Sat Oct 3 11:43:59 UTC 2009


On 3 Oct 2009, at 09:13, Jukka Ruohonen wrote:

> While I am well aware that a lot of people use DenyHosts or some  
> equivalent
> tool, I've always been somewhat skeptical about these tools. Few  
> issues:
> 1. Firewalls should generally be as static as is possible. There is  
> a reason
>   why high securelevel prevents modifications to firewalls.
> 2. Generally you do not want some parser to modify your firewall  
> rules.
>   Parsing log entries created by remote unauthenticated users as  
> root is
>   never a good idea.
> 3. Doing (2) increases the attack surface.
> 4. There have been well-documented cases where (3) has opened  
> opportunities
>   for both remote and local DoS.
> Two cents, as they say,
> Jukka.

Blackhole routes can be added as an alternative to tweaking firewall  

The other objections (esp. 3) still apply of course, but these attacks  
are such a PITA (noise in the logs if nothing else) that one has to do  

Bob Bishop
rb at gid.co.uk

More information about the freebsd-hackers mailing list