|
Full Disclosure
mailing list archives
Re: SSH Bruteforce blocking script
From: "Pedro Hugo " <fractalg () highspeedweb net>
Date: Fri, 2 Sep 2005 05:53:04 -0400
Hi,
I don't want to debate the goodness or badness of the strategy of
blocking hosts like this in /etc/hosts.deny. It works perfectly for me,
and most
likely would for you, so no religious debates thanks. It's effective at
blocking bruteforce attacks. If a host EXCEEDS a specified number of
guesses
during the (configurable) 30 seconds it takes the script to cycle, the
host is blacklisted.
Why are you doing this the wrong way ? You should whitelist hosts, instead blacklisting them.
Unless you have administrative reasons for such decision, hosts.deny should be set to ALL:ALL, and you should allow
specifically in hosts.allow.
This way everything is dropped by default. Tcpwrappers should be configured the same way a firewall is, unless there is
something against it.
Even if you have customers who need remote access, adding a few ip's is much better than having open by default.
Kind Regards,
Pedro Hugo
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
 By Date 
By Thread
Current thread:
- Re: SSH Bruteforce blocking script, (continued)
|
Intro
