Adam Carter пишет:
>> Also take a note that there are no "known-compromised hosts"
>>     
>
> What about hosts listed in RBLs? http://en.wikipedia.org/wiki/Comparison_of_DNS_blacklists. It would be interesting to see if how much correlation there is between ssh brute forcing bots and the contents of the various lists.
>   
It's just interesting. But I don't trust them enough. I don't know how 
these lists were composed. We've periodically seen viruses outbreaks, 
some computers IPs could get into lists because of trojans and so on. 
One day you won't reach your server from your own home computer...
>   
>> because ANY IP can be forged.
>>     
>
> Its easy enough to forge a SYN, but to setup a session so you can make a password guessing attempt requires that you also get the packets back from the server, which is an order of magnitude more difficult. Ever since OSes have implemented well chosen initial sequence numbers, spoofing of TCP sessions has become very difficult.
>
>   
I agree but as admin I prefer to think about many things worse than they 
really are. If something wrong is possible it's better to avoid it 
beforehand.

Best regards,
Evgeniy B.