[Freedombox-discuss] Block brute force login attacks?

Joost van Baal-Ilić joostvb-freedombox at mdcc.cx
Wed Mar 19 05:08:53 UTC 2014


On Tue, Mar 18, 2014 at 11:32:49PM +0000, Philip Hands wrote:
> Petter Reinholdtsen <pere at hungry.com> writes:
> > Hi.
> >
> > On all my machines, I install denyhosts with a two hour timeout
> > (DAEMON_PURGE = 2h), to block those trying to brute force a ssh login.
> > Should we do something similar on the Freedombox?
> >
> > In addition to denyhosts (which only handle ssh), there are other
> > relevant packages in Debian:
> >
> >   libpam-shield - locks out remote attackers trying password guessing
> >   libpam-abl - blocks hosts which are attempting a brute force attack
>   fail2ban
> The trouble with this approach is that an attacker can always widen
> their net, trying passwords against _many_ hosts, so that they only come
> back to any particular host after a decent interval.  If they're smart
> they'll be using a lot of source addresses (a bot-net, say) and they'll
> be able to work out quite quickly what the parameters are for you to ban
> them, and aim just under the RADAR.
> So, what you're doing is blocking only the less dangerous attackers
> while giving yourself a nice warm glow.
> One would be a lot better off disabling passwords,
<snip more alternatives>

Indeed. Perhaps we can allow password-based logins from the local network,
while requiring keypair-based authentication for logins from the internet.



In their capacity as a tool, computers will be but a ripple on the
surface of our culture. In their capacity as intellectual
challenge, they are without precedent in the cultural history of
mankind.     --Edsger W Dijkstra (1930-2002), Turing Award lecture

More information about the Freedombox-discuss mailing list