From owner-freebsd-hackers@FreeBSD.ORG Sat Oct 3 08:37:51 2009 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6E10F106568B for ; Sat, 3 Oct 2009 08:37:51 +0000 (UTC) (envelope-from jruohone@gmail.com) Received: from mail-ew0-f209.google.com (mail-ew0-f209.google.com [209.85.219.209]) by mx1.freebsd.org (Postfix) with ESMTP id EFFB78FC08 for ; Sat, 3 Oct 2009 08:37:50 +0000 (UTC) Received: by ewy5 with SMTP id 5so808469ewy.36 for ; Sat, 03 Oct 2009 01:37:50 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:sender:received:date:from:to :subject:message-id:reply-to:mail-followup-to:references :mime-version:content-type:content-disposition:in-reply-to :user-agent; bh=ND/vV9/d8rnJsms4ZMUfGSR2LXysWF4BNoA0UXm/pys=; b=Pmzt3OfBgcQyRIlDNU8aghKvKIWjiYJRoLfehbFr0z3e5tmsGaUTWqDgZ6clzGT9Ly +gjg6UPwo8CI//FPwtk+R2onHDX86goVzESVngUSfJOjM2S3iGOJxMSspQ0bOHJ4wQth w3cfxk0jGqp8fMlmKnrOTNVASH//xL9rmxEpU= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=sender:date:from:to:subject:message-id:reply-to:mail-followup-to :references:mime-version:content-type:content-disposition :in-reply-to:user-agent; b=v6Tlo5gAZ92HqhaHdJiXkomo2b+HsbSK/wOJ4nsVIWEvACDx6DrICSwPHX6C+oeJXa iGE3+KWCTUt/dUtFEQMgc6yKjwESas1Gt0L79s4fQv55bCbpK7JbLkGXid5apjlzhkZ0 S5H3r6uOUrcMjtL+x1EfVZCUCAnezqyfQiAW0= Received: by 10.211.160.19 with SMTP id m19mr721679ebo.2.1254557618683; Sat, 03 Oct 2009 01:13:38 -0700 (PDT) Received: from marx.net.bit (nblzone-210-250.nblnetworks.fi [83.145.210.250]) by mx.google.com with ESMTPS id 28sm1453966eyg.20.2009.10.03.01.13.37 (version=TLSv1/SSLv3 cipher=RC4-MD5); Sat, 03 Oct 2009 01:13:37 -0700 (PDT) Sender: a b Received: by marx.net.bit (Postfix, from userid 1000) id 02A791446F; Sat, 3 Oct 2009 11:13:35 +0300 (EEST) Date: Sat, 3 Oct 2009 11:13:35 +0300 From: Jukka Ruohonen To: freebsd-hackers@freebsd.org Message-ID: <20091003081335.GA19914@marx.net.bit> Mail-Followup-To: freebsd-hackers@freebsd.org References: <20091002201039.GA53034@flint.openpave.org> <4AC66E07.4030605@FreeBSD.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <4AC66E07.4030605@FreeBSD.org> User-Agent: Mutt/1.4.2.3i Subject: Re: Distributed SSH attack X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: jruohonen@iki.fi List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 03 Oct 2009 08:37:51 -0000 On Fri, Oct 02, 2009 at 05:17:59PM -0400, Greg Larkin wrote: > You could set up DenyHosts and contribute to the pool of IPs that are > attempting SSH logins on the Net: > http://denyhosts.sourceforge.net/faq.html#4_0 While I am well aware that a lot of people use DenyHosts or some equivalent tool, I've always been somewhat skeptical about these tools. Few issues: 1. Firewalls should generally be as static as is possible. There is a reason why high securelevel prevents modifications to firewalls. 2. Generally you do not want some parser to modify your firewall rules. Parsing log entries created by remote unauthenticated users as root is never a good idea. 3. Doing (2) increases the attack surface. 4. There have been well-documented cases where (3) has opened opportunities for both remote and local DoS. Two cents, as they say, Jukka.