[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] SSH Bruteforce blocking script

To: <full-disclosure@xxxxxxxxxxxxxxxxx>
Subject: Re: [Full-disclosure] SSH Bruteforce blocking script
From: "Pedro Hugo " <fractalg@xxxxxxxxxxxxxxxx>
Date: Fri, 2 Sep 2005 05:53:04 -0400

Hi,

>I don't want to debate the goodness or badness of the strategy of
>blocking hosts like this in /etc/hosts.deny. It works perfectly for me,
>and most
>likely would for you, so no religious debates thanks. It's effective at
>blocking bruteforce attacks. If a host EXCEEDS a specified number of
>guesses
>during the (configurable) 30 seconds it takes the script to cycle, the
>host is blacklisted.
>

Why are you doing this the wrong way ? You should whitelist hosts, instead 
blacklisting them.
Unless you have administrative reasons for such decision, hosts.deny should be 
set to ALL:ALL, and you should allow specifically in hosts.allow.
This way everything is dropped by default. Tcpwrappers should be configured the 
same way a firewall is, unless there is something against  it. 
Even if you have customers who need remote access, adding a few ip's is much 
better than having open by default.
Kind Regards,
Pedro Hugo
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Prev by Date: Re: [Full-disclosure] SSH Bruteforce blocking script
Next by Date: [Full-disclosure] [SECURITY] [DSA 798-1] New phproupware packages fix several vulnerabilities
Previous by thread: Re: [Full-disclosure] SSH Bruteforce blocking script
Next by thread: RE: [Full-disclosure] SSH Bruteforce blocking script
Index(es):
- Date
- Thread