Re: [gentoo-user] Curious pattern in log files from ssh...

[Alan McKinnon <alan.mckinnon@gmail.com>]

On Thursday 04 December 2008 21:03:17 Christian Franke wrote:
> On 12/03/2008 09:02 PM, Steve wrote:
> > I've recently discovered a curious pattern emerging in my system log
> > with failed login attempts via ssh.
> >
> > I'm not particularly concerned - since I'm confident that all my users
> > have strong passwords... but it strikes me that this data identifies a
> > bot-net that is clearly malicious attempting to break passwords.
> >
> > Sure, I could use IPtables to block all these bad ports... or... I could
> > disable password authentication entirely... but I keep thinking that
> > there has to be something better I can do... any suggestions?  Is there
> > a simple way to integrate a block-list of known-compromised hosts into
> > IPtables - rather like my postfix is configured to drop connections from
> > known spam sources from the sbl-xbl.spamhaus.org DNS block list, for
> > example.
>
> I just don't see what blocking ssh-bruteforce attempts should be good
> for, at least on a server where few _users_ are active.

Two reasons:

a. Maybe, just maybe, you overlooked something. Belts, braces and a drawstring 
for good measure is not a bad thing.

b. You probably want to get all that crap out of your log files off into some 
other place where you can cope with it. Parsing auth log files that are 95% 
brute force attempts is no fun. I like to have the crap in place A and the 
real stuff in place B, makes my job so much easier
>
> The chance that security of a well configured system will be compromised
> by that is next to zero, and on recent systems it is also impossible to
> cause significant load with ssh-login-attempts.

Uh-huh. We all said that for many years. Then some bright spark actually 
looked at the patches the debian openssh maintainer was applying and we all 
had one of those special "oops..." moments

Did you have any idea of just how weak certs made on a debian box were before 
it hit the headlines? No-one I know did.

> Also, things like fail2ban add new attack-possibilities to a system, I
> remember the old DoS for fail2ban, resulting from a wrong regex in log
> file parsing, but I think at least this is fixed now.

Whereas that is true enough in itself, the actual risk of such is rather low 
in comparison to the gains. Hence it is not a valid reason to not use 
fail2ban and such-like apps.

If it were, we should all just stop using iptables and libwrap and openssl on 
the off-chance that maybe, just maybe, they open an attack vector. But that's 
silly reasoning right?


-- 
alan dot mckinnon at gmail dot com