[GRLUG] Limiting SSH brute force attacks with IPTABLES (recent module)...

john-thomas richards jtr at jrichards.org
Mon Feb 20 14:01:59 EST 2006 

On Mon, Feb 20, 2006 at 01:06:08PM -0500, Collin wrote:
[snip]
> > Several times per day I receive brute force attacks on port 22.  Digg had the
> > DenyHosts script which detects such attacks and adds the IP address to
> > /etc/hosts.deny.  Would it be better to ban the IP altogether rather than limit
> > the frequency with which the attacks can occur?  The idea of denying the IP
> > appeals to me but I am not a security expert in any sense.
> >
> >   
> 
> Personally I'd like to say that the denying approach  is best but I 
> don't think it is... The problem is that it bloats the deny file for 
> really no benefit. Have you ever seen any intelligent brute forces on 
> SSH? All of the ones I get are stupid attempts from worms and such. No, 
> I don't allow root logons and I dont have users named Dick, Jane, Admin, 
> Ralf, Guest, etc, etc. They are basically harmless brute force attempts. 
> The machines and/or IP's of origin probably don't even know that their 
> machine is doing it. Blocking them isn't really going to solve anything. 
> The best defense is to disable unused accounts and not use idiotic 
> passwords.
> 
> The slowing of connection attempts is probably better as it doesn't 
> bloat the deny file and it still serves it's purpose. If a REAL brute 
> force comes in they'll likely give up rather than have to wait 20 
> seconds between tries.

Excellent.  Thanks, Collin.  This is the sort of answer for which I was
hoping.  My logs show similar attempts (real names, "Admin", et cetera).
I do not have any "real" names as accounts and the passwords are not
dictionary words (well...some are but they are 0bFusc4t3d).  It makes
sense that adding all the IP's to /etc/hosts.deny is overkill.  I wonder
how many of the IP's are static.  I suspect many are not so denying them
serves no real purpose other than having a hosts.deny weigh in at 100k 
after a few months. :-)

Thanks again.
-- 
john-thomas
------
I'm not altogether sure what world war three will be fought with, but no
matter what it is, world war four will be fought with sticks and rocks.
Albert Einstein

More information about the grlug mailing list