Distributed SSH attack
Bob Bishop
rb at gid.co.uk
Sat Oct 3 11:43:59 UTC 2009
Hi,
On 3 Oct 2009, at 09:13, Jukka Ruohonen wrote:
> While I am well aware that a lot of people use DenyHosts or some
> equivalent
> tool, I've always been somewhat skeptical about these tools. Few
> issues:
>
> 1. Firewalls should generally be as static as is possible. There is
> a reason
> why high securelevel prevents modifications to firewalls.
>
> 2. Generally you do not want some parser to modify your firewall
> rules.
> Parsing log entries created by remote unauthenticated users as
> root is
> never a good idea.
>
> 3. Doing (2) increases the attack surface.
>
> 4. There have been well-documented cases where (3) has opened
> opportunities
> for both remote and local DoS.
>
> Two cents, as they say,
>
> Jukka.
Blackhole routes can be added as an alternative to tweaking firewall
rules.
The other objections (esp. 3) still apply of course, but these attacks
are such a PITA (noise in the logs if nothing else) that one has to do
something.
--
Bob Bishop
rb at gid.co.uk
More information about the freebsd-hackers
mailing list