[Freedombox-discuss] Block brute force login attacks?

Petter Reinholdtsen pere at hungry.com
Wed Mar 19 06:38:33 UTC 2014

[Philip Hands]
> The trouble with this approach is that an attacker can always widen
> their net, trying passwords against _many_ hosts, so that they only
> come back to any particular host after a decent interval.  If
> they're smart they'll be using a lot of source addresses (a bot-net,
> say) and they'll be able to work out quite quickly what the
> parameters are for you to ban them, and aim just under the RADAR.
> So, what you're doing is blocking only the less dangerous attackers
> while giving yourself a nice warm glow.

Absolutely, and such slow under the RADAR scanning is going on, as can
be seen from
<URL: http://bsdly.blogspot.no/search/label/Hail%20Mary%20Cloud >.
But the net gain of blocking some (even less dangerous) attackers is
as I see it read it is very real, and worth it if the setup is easy
and the negative consequences are small.

So far these alternatives for doing that are identified:

  iptables / ufw rules
  libpam-shield - locks out remote attackers trying password guessing
  libpam-abl - blocks hosts which are attempting a brute force attack
  fail2ban - ban hosts that cause multiple authentication errors
  (*) denyhosts - Utility to help sys admins thwart SSH crackers

(*) denyhosts is removed from unstable and testing, and not really a
good option for us.

I'm not sure which one of these are the best option.  A PAM based
solution seem more flexible and able to handle many protocols, but
which of the two are fit for the task?

Happy hacking
Petter Reinholdtsen

More information about the Freedombox-discuss mailing list