-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sat, Apr 12, 2008 at 2:44 AM, Sam Clemens wrote:
Sylvester Lykkehus wrote:
Hello list,
In an attempt minimize ssh brute force attacks, I deployed denyhosts ( http://denyhosts.sf.net ) some time ago on a openSUSE 10.2 server. It's working perfectly, and I am very pleased with it.
Now I want to take denyhosts out of daemon mode, and only be executed upon ssh connection attempts.
Deamons only get CPU cycles when they need to run.
By reconfiguring it as you propose, you're going to be continually re-loading it every time it needs to execute, slowing down both overall system performance and network performance. Even being reloaded after getting swapped out to disk is faster than continually looking up the file's path and walking through the filesystem to load up the executable every time, as opposed to going directly to the correct blocks needed in a swap partition.
Further, DenyHosts is a Python application that monitors the authentication logs and writes IPs to /etc/hosts.deny. This is not at all efficient, and easily outsmarted. Further it does not address clearing out the /etc/hosts.deny file as would be required sooner or later. A much better solution is use the rate limit of iptables, most easily implimented via shorewall but it can be done in suse firewall as well. Rate limiting works not only on ssh, but any port. After X attempts from a given IP within Y timeframe, subsequent attempts are dropped for Z time intervals. Its self healing, so someone who fat fingers the keyboard X times in a row has to wait, but it will not require manual action for the limit to clear. I use this to rate limit ssh, ftp, and Imap. http://blog.blackdown.de/2005/02/18/mitigating-ssh-brute-force-attacks-with-... - -- - ----------JSA--------- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (MingW32) Comment: http://getfiregpg.org iD8DBQFIAQ7bv7M3G5+2DLIRAib6AKCaXJMlu4R1MERiDNg4UQTxysJSGgCfT+zA ypvx/IUMJbxoAMJn+zX/h6E= =wbRZ -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org