Comments on: The annoyance of brute force attacks. http://www.cafaro.net/2007/10/24/the-annoyance-and-brute-force-attacks/ A site to collect thoughts and figures of the moment. Wed, 13 Aug 2008 04:03:54 -0400 http://wordpress.org/?v=2.9.2 hourly 1 By: D-Caf http://www.cafaro.net/2007/10/24/the-annoyance-and-brute-force-attacks/comment-page-1/#comment-7651 D-Caf Wed, 24 Oct 2007 15:40:50 +0000 http://www.cafaro.net/2007/10/24/the-annoyance-and-brute-force-attacks/#comment-7651 Very good points, and I've looked into a few of them. Unfortunately the IP block won't work, between users who roam a lot and dynamic IPs, just not feasible for several servers. I've actually looked at the DenyHosts and the ssh door knockers (attempt two SSH connections which fail as no ssh server, the third time it connects, if from the same IP), which are promising, but I've had some issues with software versions and possibly breaking simple rpm software updates. It's always a balancing act, and on some of my servers I've implement the things you've mentioned, as they help a LOT. Just wish it didn't have to be so (I know, dreaming again...) :-) Very good points, and I’ve looked into a few of them. Unfortunately the IP block won’t work, between users who roam a lot and dynamic IPs, just not feasible for several servers. I’ve actually looked at the DenyHosts and the ssh door knockers (attempt two SSH connections which fail as no ssh server, the third time it connects, if from the same IP), which are promising, but I’ve had some issues with software versions and possibly breaking simple rpm software updates.

It’s always a balancing act, and on some of my servers I’ve implement the things you’ve mentioned, as they help a LOT. Just wish it didn’t have to be so (I know, dreaming again…) :-)

]]> By: jjtuttle http://www.cafaro.net/2007/10/24/the-annoyance-and-brute-force-attacks/comment-page-1/#comment-7650 jjtuttle Wed, 24 Oct 2007 15:26:10 +0000 http://www.cafaro.net/2007/10/24/the-annoyance-and-brute-force-attacks/#comment-7650 I don't mean to preach to the choir, but there are things you can do about this. In my particular situation I only need to allow SSH/FTP access to a few people and have made an arrangement with them to only allow access from predetermined IP addresses. Iptables drops all other connection attempts without logging. If you can't do that there is always <a href="http://denyhosts.sourceforge.net/" rel="nofollow">DenyHosts</a>, the dynamic tcpwrapper script for hosts.deny. I deny all and only allow known hosts, but if you're open to the world this may be handy. Of course, as minimum line of defense you could move listening services to unused high ports. Obscurity is better than nothing. I'm lucky in that I can limit connections to known hosts. An attacker won't even know my system is there with a full port scan. I remember, though, the days when I'd have thousands of attempted connections a day. Don't miss it a bit. I don’t mean to preach to the choir, but there are things you can do about this. In my particular situation I only need to allow SSH/FTP access to a few people and have made an arrangement with them to only allow access from predetermined IP addresses. Iptables drops all other connection attempts without logging. If you can’t do that there is always DenyHosts, the dynamic tcpwrapper script for hosts.deny. I deny all and only allow known hosts, but if you’re open to the world this may be handy. Of course, as minimum line of defense you could move listening services to unused high ports. Obscurity is better than nothing.

I’m lucky in that I can limit connections to known hosts. An attacker won’t even know my system is there with a full port scan. I remember, though, the days when I’d have thousands of attempted connections a day. Don’t miss it a bit.

]]>