From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([69.77.167.62] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1L8YnZ-0001oq-NJ for garchives@archives.gentoo.org; Fri, 05 Dec 2008 11:24:44 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id DAF7CE0373; Fri, 5 Dec 2008 11:24:38 +0000 (UTC) Received: from smtp.hotchilli.net (mta3.th.hotchilli.net [62.89.140.53]) by pigeon.gentoo.org (Postfix) with ESMTP id 97FC3E0373 for ; Fri, 5 Dec 2008 11:24:38 +0000 (UTC) Received: from static-87-243-200-80.adsl.hotchilli.net ([87.243.200.80] helo=[127.0.0.1]) by smtp.hotchilli.net with esmtp (Exim 4.63) (envelope-from ) id 1L8YnV-0000HY-MS for gentoo-user@lists.gentoo.org; Fri, 05 Dec 2008 11:24:38 +0000 Message-ID: <49390F72.20406@shic.co.uk> Date: Fri, 05 Dec 2008 11:24:34 +0000 From: Steve User-Agent: Thunderbird 2.0.0.18 (Windows/20081105) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] Curious pattern in log files from ssh... References: <4936E5E3.1040606@shic.co.uk> <49382975.5080701@yahoo.de> <200812042320.12159.alan.mckinnon@gmail.com> In-Reply-To: <200812042320.12159.alan.mckinnon@gmail.com> Content-Type: text/plain; charset=ISO-8859-15 Content-Transfer-Encoding: 7bit X-Archives-Salt: 4c2f5cf4-6489-4d10-9655-96e1363f2bba X-Archives-Hash: 4f19b90fa306caa7fced644af3cef669 Alan McKinnon wrote: > On Thursday 04 December 2008 21:03:17 Christian Franke wrote: > >> I just don't see what blocking ssh-bruteforce attempts should be good >> for, at least on a server where few _users_ are active. >> > Two reasons: > > a. Maybe, just maybe, you overlooked something. Belts, braces and a drawstring > for good measure is not a bad thing. > > b. You probably want to get all that crap out of your log files off into some > other place where you can cope with it. Parsing auth log files that are 95% > brute force attempts is no fun. I like to have the crap in place A and the > real stuff in place B, makes my job so much easier > I agree 100% with the above - another issue is that I'd like to block all traffic from malicious hosts - I realise that the traffic is low at the moment, but that need not be the case in future. >> Also, things like fail2ban add new attack-possibilities to a system, I >> remember the old DoS for fail2ban, resulting from a wrong regex in log >> file parsing, but I think at least this is fixed now. >> > Whereas that is true enough in itself, the actual risk of such is rather low > in comparison to the gains. Hence it is not a valid reason to not use > fail2ban and such-like apps. The issue for me is that the cost of a DOS is far, far lower than the cost of a break-in. The cost of a DOS that prevents access from new hosts is orders of magnitude lower than the cost of a DOS. Everyone's risk profiles are different - but, for me, keeping out intruders is critical (they may result in unrecoverable data loss) and my accessibility objective is that it be the 'norm' that I can log in with an unusual-username and complex password from a trustworthy PC whose IP address can not be determined in advance... using only bog-standard tools and no non-remembered personal data. I'm coming around to the idea of port-knocking, but my gut instinct is that it is a bit baroque and has potential for me to louse-up its implementation... It definitely adversely affects usability - though, I admit, less than I first suspected. I'm still quite interested in the idea of identifying botnets where used to subvert the tactics used by fail2ban; blacklist.py, etc. and using these to, in turn, block access to any service... including, for example, hosted web-services which are, potentially, in spite of taking all the obvious precautions, more vulnerable to attack - IMHO. I'm definitely thinking that it would be a good idea if there were a way to publish botnet lists... such that they could be collated and turned into a DNSBL style resource. If such a resource existed, I'd definitely chose to use it (overridden by a few whitelist entries of my own - just-in-case...) and I'd be very happy to report back to it in order to help keeping this problem under control. Incidentally, I'd also consider it useful to monitor this block list for any occurrence of my own IP address - since that would be an early indication that one of my hosts may be compromised.