Re: [gentoo-user] Curious pattern in log files from ssh...

[Steve <Gentoo_sjh@shic.co.uk>]

Alan McKinnon wrote:
> On Thursday 04 December 2008 21:03:17 Christian Franke wrote:
>   
>> I just don't see what blocking ssh-bruteforce attempts should be good
>> for, at least on a server where few _users_ are active.
>>     
> Two reasons:
>
> a. Maybe, just maybe, you overlooked something. Belts, braces and a drawstring 
> for good measure is not a bad thing.
>
> b. You probably want to get all that crap out of your log files off into some 
> other place where you can cope with it. Parsing auth log files that are 95% 
> brute force attempts is no fun. I like to have the crap in place A and the 
> real stuff in place B, makes my job so much easier
>   
I agree 100% with the above - another issue is that I'd like to block
all traffic from malicious hosts - I realise that the traffic is low at
the moment, but that need not be the case in future.
>> Also, things like fail2ban add new attack-possibilities to a system, I
>> remember the old DoS for fail2ban, resulting from a wrong regex in log
>> file parsing, but I think at least this is fixed now.
>>     
> Whereas that is true enough in itself, the actual risk of such is rather low 
> in comparison to the gains. Hence it is not a valid reason to not use 
> fail2ban and such-like apps.
The issue for me is that the cost of a DOS is far, far lower than the
cost of a break-in.  The cost of a DOS that prevents access from new
hosts is orders of magnitude lower than the cost of a DOS.  Everyone's
risk profiles are different - but, for me, keeping out intruders is
critical (they may result in unrecoverable data loss) and my
accessibility objective is that it be the 'norm' that I can log in with
an unusual-username and complex password from a trustworthy PC whose IP
address can not be determined in advance... using only bog-standard
tools and no non-remembered personal data.

I'm coming around to the idea of port-knocking, but my gut instinct is
that it is a bit baroque and has potential for me to louse-up its
implementation... It definitely adversely affects usability - though, I
admit, less than I first suspected.  I'm still quite interested in the
idea of identifying botnets where used to subvert the tactics used by
fail2ban; blacklist.py, etc. and using these to, in turn, block access
to any service... including, for example, hosted web-services which are,
potentially, in spite of taking all the obvious precautions, more
vulnerable to attack - IMHO.

I'm definitely thinking that it would be a good idea if there were a way
to publish botnet lists... such that they could be collated and turned
into a DNSBL style resource.  If such a resource existed, I'd definitely
chose to use it (overridden by a few whitelist entries of my own -
just-in-case...) and I'd be very happy to report back to it in order to
help keeping this problem under control.  Incidentally, I'd also
consider it useful to monitor this block list for any occurrence of my
own IP address - since that would be an early indication that one of my
hosts may be compromised.