Date: Sat, 3 Oct 2009 12:43:50 +0100 From: Bob Bishop <rb@gid.co.uk> To: jruohonen@iki.fi Cc: freebsd-hackers@freebsd.org Subject: Re: Distributed SSH attack Message-ID: <EADE366E-D19A-49BC-ACE5-726C9E32641C@gid.co.uk> In-Reply-To: <20091003081335.GA19914@marx.net.bit> References: <20091002201039.GA53034@flint.openpave.org> <4AC66E07.4030605@FreeBSD.org> <20091003081335.GA19914@marx.net.bit>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi, On 3 Oct 2009, at 09:13, Jukka Ruohonen wrote: > While I am well aware that a lot of people use DenyHosts or some > equivalent > tool, I've always been somewhat skeptical about these tools. Few > issues: > > 1. Firewalls should generally be as static as is possible. There is > a reason > why high securelevel prevents modifications to firewalls. > > 2. Generally you do not want some parser to modify your firewall > rules. > Parsing log entries created by remote unauthenticated users as > root is > never a good idea. > > 3. Doing (2) increases the attack surface. > > 4. There have been well-documented cases where (3) has opened > opportunities > for both remote and local DoS. > > Two cents, as they say, > > Jukka. Blackhole routes can be added as an alternative to tweaking firewall rules. The other objections (esp. 3) still apply of course, but these attacks are such a PITA (noise in the logs if nothing else) that one has to do something. -- Bob Bishop rb@gid.co.uk
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?EADE366E-D19A-49BC-ACE5-726C9E32641C>