From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([69.77.167.62] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1L8JU9-0005Az-Tt for garchives@archives.gentoo.org; Thu, 04 Dec 2008 19:03:38 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id D50B7E03A8; Thu, 4 Dec 2008 19:03:34 +0000 (UTC) Received: from n10.bullet.re3.yahoo.com (n10.bullet.re3.yahoo.com [68.142.237.123]) by pigeon.gentoo.org (Postfix) with SMTP id 45B4FE03A8 for ; Thu, 4 Dec 2008 19:03:34 +0000 (UTC) Received: from [68.142.237.87] by n10.bullet.re3.yahoo.com with NNFMP; 04 Dec 2008 19:03:33 -0000 Received: from [69.147.75.190] by t3.bullet.re3.yahoo.com with NNFMP; 04 Dec 2008 19:03:33 -0000 Received: from [127.0.0.1] by omp106.mail.re1.yahoo.com with NNFMP; 04 Dec 2008 19:03:33 -0000 X-Yahoo-Newman-Id: 349618.24309.bm@omp106.mail.re1.yahoo.com Received: (qmail 91313 invoked from network); 4 Dec 2008 19:03:33 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.de; h=Received:X-YMail-OSG:X-Yahoo-Newman-Property:Message-ID:Date:From:User-Agent:MIME-Version:To:Subject:References:In-Reply-To:X-Enigmail-Version:Content-Type; b=4gnCxgD5+eEQ81lEOxUfWDvtV5qKZdpBJVSuSpW/yk+wsWzE0XG8+LC27dOGk2qK1LKdxJ20FVHPNqvIolMRvZTeuBGB+NyXGNf3gBKOYkou69tzc/UgYEn43bnzkNdM0q9XkuEj1lMmi2KxiemgpYP06UEH4iPgHEy4q9mDJf4= ; Received: from unknown (HELO ?192.168.2.32?) (cfchris6@91.39.87.49 with plain) by smtp107.plus.mail.re1.yahoo.com with SMTP; 4 Dec 2008 19:03:33 -0000 X-YMail-OSG: cAqhzzgVM1k.Ar3EP8QT7FSd3_iOTteeu1u530ozhnUX4.3ZR2yMhn3ARg.vzZbJmpcjOPLMNsIKqV3JfXb8iDoWZNxnj7svY7KUREzFc3JMjzKQF4pMZO2Th6wNsmTS9WmXRoeXIKa4wLDF9E3vBOj_s22F0xpMHvG5s5gNV1T84ncVW.ieRwXSMmov X-Yahoo-Newman-Property: ymail-3 Message-ID: <49382975.5080701@yahoo.de> Date: Thu, 04 Dec 2008 20:03:17 +0100 From: Christian Franke User-Agent: Mozilla/5.0 (X11; U; Linux i686; en; rv:1.8.1.16) Gecko/20080920 Thunderbird/2.0.0.16 Mnenhy/0.7.5.0 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] Curious pattern in log files from ssh... References: <4936E5E3.1040606@shic.co.uk> In-Reply-To: <4936E5E3.1040606@shic.co.uk> X-Enigmail-Version: 0.95.7 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enig355DBA3875F8B3F887E92001" X-Archives-Salt: 35d62e4f-c504-4372-8087-dcf0f05ad328 X-Archives-Hash: d4a3b653e78aabfdb28e25a000e4f113 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig355DBA3875F8B3F887E92001 Content-Type: text/plain; charset=ISO-8859-15 Content-Transfer-Encoding: quoted-printable On 12/03/2008 09:02 PM, Steve wrote: > I've recently discovered a curious pattern emerging in my system log > with failed login attempts via ssh. >=20 > I'm not particularly concerned - since I'm confident that all my users > have strong passwords... but it strikes me that this data identifies a > bot-net that is clearly malicious attempting to break passwords. >=20 > Sure, I could use IPtables to block all these bad ports... or... I coul= d > disable password authentication entirely... but I keep thinking that > there has to be something better I can do... any suggestions? Is there= > a simple way to integrate a block-list of known-compromised hosts into > IPtables - rather like my postfix is configured to drop connections fro= m > known spam sources from the sbl-xbl.spamhaus.org DNS block list, for > example. I just don't see what blocking ssh-bruteforce attempts should be good for, at least on a server where few _users_ are active. The chance that security of a well configured system will be compromised by that is next to zero, and on recent systems it is also impossible to cause significant load with ssh-login-attempts. Also, things like fail2ban add new attack-possibilities to a system, I remember the old DoS for fail2ban, resulting from a wrong regex in log file parsing, but I think at least this is fixed now. Regards, Christian Franke --------------enig355DBA3875F8B3F887E92001 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEUEARECAAYFAkk4KYMACgkQkMF7UBEyHrN2QgCY76immdUT9gSCxVnaed4oe1tO JQCfWxa7l9sAlNAb8kqKjgee3n9kO2U= =OWwx -----END PGP SIGNATURE----- --------------enig355DBA3875F8B3F887E92001--