On 12/03/2008 09:02 PM, Steve wrote:
> I've recently discovered a curious pattern emerging in my system log
> with failed login attempts via ssh.
> 
> I'm not particularly concerned - since I'm confident that all my users
> have strong passwords... but it strikes me that this data identifies a
> bot-net that is clearly malicious attempting to break passwords.
> 
> Sure, I could use IPtables to block all these bad ports... or... I could
> disable password authentication entirely... but I keep thinking that
> there has to be something better I can do... any suggestions?  Is there
> a simple way to integrate a block-list of known-compromised hosts into
> IPtables - rather like my postfix is configured to drop connections from
> known spam sources from the sbl-xbl.spamhaus.org DNS block list, for
> example.

I just don't see what blocking ssh-bruteforce attempts should be good
for, at least on a server where few _users_ are active.

The chance that security of a well configured system will be compromised
by that is next to zero, and on recent systems it is also impossible to
cause significant load with ssh-login-attempts.

Also, things like fail2ban add new attack-possibilities to a system, I
remember the old DoS for fail2ban, resulting from a wrong regex in log
file parsing, but I think at least this is fixed now.

Regards,
Christian Franke