[Freedombox-discuss] Block brute force login attacks?
Petter Reinholdtsen
pere at hungry.com
Wed Mar 19 06:38:33 UTC 2014
[Philip Hands]
> The trouble with this approach is that an attacker can always widen
> their net, trying passwords against _many_ hosts, so that they only
> come back to any particular host after a decent interval. If
> they're smart they'll be using a lot of source addresses (a bot-net,
> say) and they'll be able to work out quite quickly what the
> parameters are for you to ban them, and aim just under the RADAR.
>
> So, what you're doing is blocking only the less dangerous attackers
> while giving yourself a nice warm glow.
Absolutely, and such slow under the RADAR scanning is going on, as can
be seen from
<URL: http://bsdly.blogspot.no/search/label/Hail%20Mary%20Cloud >.
But the net gain of blocking some (even less dangerous) attackers is
as I see it read it is very real, and worth it if the setup is easy
and the negative consequences are small.
So far these alternatives for doing that are identified:
iptables / ufw rules
libpam-shield - locks out remote attackers trying password guessing
libpam-abl - blocks hosts which are attempting a brute force attack
fail2ban - ban hosts that cause multiple authentication errors
(*) denyhosts - Utility to help sys admins thwart SSH crackers
(*) denyhosts is removed from unstable and testing, and not really a
good option for us.
I'm not sure which one of these are the best option. A PAM based
solution seem more flexible and able to handle many protocols, but
which of the two are fit for the task?
--
Happy hacking
Petter Reinholdtsen
More information about the Freedombox-discuss
mailing list