Should we think of putting this on our serevers.

http://www.novell.com/coolsolutions/trench/16341.html This is an ssh blocker that checks for multiple ssh attempts, and adds those hosts to hosts.deny -- Jerry Feldman <gaf@blu.org> Boston Linux and Unix user group http://www.blu.org PGP key id:C5061EA9 PGP Key fingerprint:053C 73EC 3AC1 5C44 3E14 9245 FB00 3ED5 C506 1EA9

Jerry Feldman wrote:
If you refer to the thread "[SLE] stopping dictionary attacks on sshd" look at the post from Kevin 15:19 today. There is not more to add. This "coolsolution" or changing the portnumber sshd will listen on only help you that these attacks don't fill you logs. Ulf

On Tuesday 08 November 2005 10:40 am, Ulf Rasch wrote:
Adding a host to the /etc/hosts.deny file does much more than prevent my logs from filling up. It's not filling my logs because the offending host is no longer accessing my server. -- Louis Richards

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Wednesday 2005-11-09 at 08:26 -0500, Louis Richards wrote:
Not really. It stops that offender, at least for some time. It will not stop the thousand more offenders out there. It is not a final solution. - -- Cheers, Carlos Robinson -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (GNU/Linux) Comment: Made with pgp4pine 1.76 iD8DBQFDchhdtTMYHG2NR9URAksEAJ9jJYqdRlfY248/kLSF7fBIm5kmjQCfdcNd C2tHFWOGC/BFuJuOOsyMLPQ= =/8D/ -----END PGP SIGNATURE-----

Louis Richards wrote:
How many hosts will that script put into you hosts.deny until you give up and try a more secure way? 10, 100, 1000? With password authentication you still give every host which is not in your blacklist x tries. With publickey authentication they can try forever. They would need your key and its password and not a dictionary to break into your box through ssh. (given that there are security issues with ssh of course) Given that you have setup your sytem for publickey authentication and disabled passwords there would be no need to put this script on your server. Ulf

On Wednesday 09 November 2005 02:57 pm, Ulf Rasch wrote:
You are 100% correct. There are many ways to secure a system and many better than this script. For those of us that are using keys, I would suggest adding from="000.000.000.000" to the beginning of the entry if you know the host ip that will be connecting. Of course, not everyone can use this method as it may be to restrictive. It's a bit of a balancing act. I was only trying to point out that adding a host to my hosts.deny file does quite a bit more than prevent my logs from filling up. As to the number of entries ... the file is overwritten with each run. I usually average about 4 entries in a file. I am using passwords for ssh on some systems and keys on others. I suppose the ones using key files are more secure. The ones running things like NX Server and web apps seemed easier to integrate into single signon environments using ssh and passwords. I also run Snort with the SnortSam plugin which helps. RKHunter happily emails me a report twice a day. After all of this I suspect a determined attacker would still get in. -- Louis Richards

Jerry Feldman wrote:
If you refer to the thread "[SLE] stopping dictionary attacks on sshd" look at the post from Kevin 15:19 today. There is not more to add. This "coolsolution" or changing the portnumber sshd will listen on only help you that these attacks don't fill you logs. Ulf

On Tuesday 08 November 2005 10:40 am, Ulf Rasch wrote:
Adding a host to the /etc/hosts.deny file does much more than prevent my logs from filling up. It's not filling my logs because the offending host is no longer accessing my server. -- Louis Richards

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Wednesday 2005-11-09 at 08:26 -0500, Louis Richards wrote:
Not really. It stops that offender, at least for some time. It will not stop the thousand more offenders out there. It is not a final solution. - -- Cheers, Carlos Robinson -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (GNU/Linux) Comment: Made with pgp4pine 1.76 iD8DBQFDchhdtTMYHG2NR9URAksEAJ9jJYqdRlfY248/kLSF7fBIm5kmjQCfdcNd C2tHFWOGC/BFuJuOOsyMLPQ= =/8D/ -----END PGP SIGNATURE-----

Louis Richards wrote:
How many hosts will that script put into you hosts.deny until you give up and try a more secure way? 10, 100, 1000? With password authentication you still give every host which is not in your blacklist x tries. With publickey authentication they can try forever. They would need your key and its password and not a dictionary to break into your box through ssh. (given that there are security issues with ssh of course) Given that you have setup your sytem for publickey authentication and disabled passwords there would be no need to put this script on your server. Ulf

On Wednesday 09 November 2005 02:57 pm, Ulf Rasch wrote:
You are 100% correct. There are many ways to secure a system and many better than this script. For those of us that are using keys, I would suggest adding from="000.000.000.000" to the beginning of the entry if you know the host ip that will be connecting. Of course, not everyone can use this method as it may be to restrictive. It's a bit of a balancing act. I was only trying to point out that adding a host to my hosts.deny file does quite a bit more than prevent my logs from filling up. As to the number of entries ... the file is overwritten with each run. I usually average about 4 entries in a file. I am using passwords for ssh on some systems and keys on others. I suppose the ones using key files are more secure. The ones running things like NX Server and web apps seemed easier to integrate into single signon environments using ssh and passwords. I also run Snort with the SnortSam plugin which helps. RKHunter happily emails me a report twice a day. After all of this I suspect a determined attacker would still get in. -- Louis Richards
participants (5)
-
Carlos E. R.
-
Jerry Feldman
-
Louis Richards
-
Sunny
-
Ulf Rasch