From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from lists.gentoo.org ([140.105.134.102] helo=robin.gentoo.org)
	by nuthatch.gentoo.org with esmtp (Exim 4.43)
	id 1E0915-0004mB-HI
	for garchives@archives.gentoo.org; Wed, 03 Aug 2005 02:30:00 +0000
Received: from robin.gentoo.org (localhost [127.0.0.1])
	by robin.gentoo.org (8.13.4/8.13.4) with SMTP id j732Sgh8024360;
	Wed, 3 Aug 2005 02:28:42 GMT
Received: from wproxy.gmail.com (wproxy.gmail.com [64.233.184.200])
	by robin.gentoo.org (8.13.4/8.13.4) with ESMTP id j732P4Y9028601
	for <gentoo-user@lists.gentoo.org>; Wed, 3 Aug 2005 02:25:04 GMT
Received: by wproxy.gmail.com with SMTP id i1so36605wra
        for <gentoo-user@lists.gentoo.org>; Tue, 02 Aug 2005 19:25:29 -0700 (PDT)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
        s=beta; d=gmail.com;
        h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references;
        b=mhOtjfYebjO6ogXqq4StU49/icKznV8VN7ID7EcziRfGPbj35ODiBpUccB17AdBtSRgAfjcVrrOFJUlrAVsVsOlX/f1ERVTyP8thylzeZ+paoi55WzWdl1HRF6CctJeqkcWtVLPJ1syDVzLwe5SRTuKDErR8xbq4yh3e6QX3gCw=
Received: by 10.54.53.63 with SMTP id b63mr188362wra;
        Tue, 02 Aug 2005 19:25:29 -0700 (PDT)
Received: by 10.54.39.56 with HTTP; Tue, 2 Aug 2005 19:25:29 -0700 (PDT)
Message-ID: <8f7a9d58050802192511865147@mail.gmail.com>
Date: Wed, 3 Aug 2005 02:25:29 +0000
From: Raphael Melo de Oliveira Bastos Sales <raphael.melo21@gmail.com>
To: gentoo-user@lists.gentoo.org
Subject: Re: [gentoo-user] Testing how secure a server is...
In-Reply-To: <20050803021105.GA6477@princeton.edu>
Precedence: bulk
List-Post: <mailto:gentoo-user@lists.gentoo.org>
List-Help: <mailto:gentoo-user+help@gentoo.org>
List-Unsubscribe: <mailto:gentoo-user+unsubscribe@gentoo.org>
List-Subscribe: <mailto:gentoo-user+subscribe@gentoo.org>
List-Id: Gentoo Linux mail <gentoo-user.gentoo.org>
X-BeenThere: gentoo-user@gentoo.org
Reply-to: gentoo-user@lists.gentoo.org
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Disposition: inline
References: <8f7a9d5805080216505f9b4a51@mail.gmail.com>
	 <BF39219E-1045-4DE7-84D6-FFDD7ADC6204@gmail.com>
	 <8f7a9d58050802181843723462@mail.gmail.com>
	 <B8E0699D-EB89-40E3-9408-FBAF0B8C03A8@gmail.com>
	 <20050803021105.GA6477@princeton.edu>
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from quoted-printable to 8bit by robin.gentoo.org id j732P4Y9028601
X-Archives-Salt: 8aa90a1c-6f6c-4d4b-a0d2-e546db81867c
X-Archives-Hash: b52f0ec89e22785f70ed1e4daab9228c

Which IDS system do you recommend? I also need to worry about HTTP
auth brute force. Know any way to stop it from happening?

I've read about HoneyPots, which I can only assume is a decoy for an
attacker. Anyone knows how to set one up?

I have a feeling that there isn't much I can do if a pro actually
tries to break the system. All I can do is avoid the dummies from
doing it as well.

2005/8/3, Willie Wong <wwong@princeton.edu>:
> On Tue, Aug 02, 2005 at 09:43:17PM -0400, Colin wrote:
> > Neither is what I was thinking of, but they're quite similar.
> > LoginGraceTime means if nobody logged in within 10 minutes of the
> > connection being opened, then it will be closed.  I don't know
> > exactly what MaxAuthTries does, but I imagine after the sixth invalid
> > login, the connection would  be closed.
> >
> 
> Yes, and if the failure reaches half the number, all further failures
> will be logged. In the case of
>   MaxAuthTries 6
> It means that the first three failures will go unnoticed, the fourth
> through sixth logged, and the connection closes after that.
> 
> There is, unfortunately, not an option in sshd_config to allow for the
> behaviour you specified, where after a password failure, the next
> prompt comes up delayed by five seconds. Perhaps if should be put as a
> feature request (=.
> 
> Your best bet against brute forcing sshd is
>   1) Not allowing password login at all
>     or
>   2) Use some sort of IDS coupled with a firewall rule to block the
>      particular host after multiple login failures. But even that
>      won't stop a distributed brute force. But then again, if you are
>      guarding a system that really demands that much security against
>      a determined cracker, you really should consider NOT putting the
>      system on the internet.
>     or
>   3) Maybe port-knocking? Note that just by running ssh on a
>      non-standard port, you probably are avoiding most of the 5|<|21p7
>      kiddie attacks... again, only someone who really wants in on your
>      system will take the effort to locate where sshd is listening.
> 
> > I found this site, check it out.  It's for Red Hat (Gentoo is
> > better!), but it's the same SSHd:
> > http://www.faqs.org/docs/securing/chap15sec122.html
> --
> It's easy to come up with new ideas; the hard
> part is letting go of what worked for you two
> years ago, but will soon be out of date.
>         -- Roger Von Oech
> Sortir en Pantoufles: up 2 days,  9:25
> --
> gentoo-user@gentoo.org mailing list
> 
>

-- 
gentoo-user@gentoo.org mailing list