From owner-freebsd-questions@FreeBSD.ORG Sun Aug 28 03:18:03 2005 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 432AC16A420 for ; Sun, 28 Aug 2005 03:18:03 +0000 (GMT) (envelope-from nikolas.britton@gmail.com) Received: from wproxy.gmail.com (wproxy.gmail.com [64.233.184.206]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7EA6E43D48 for ; Sun, 28 Aug 2005 03:18:02 +0000 (GMT) (envelope-from nikolas.britton@gmail.com) Received: by wproxy.gmail.com with SMTP id 55so384647wri for ; Sat, 27 Aug 2005 20:18:01 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=fEXUfQeKQVdRF+ns5ktMlYTQgv492w8iAtkRxzflMk659HChFYqgPIT7ZOJBNU81CnM0gHJS26sFfCyP4FALNbooCu53NYsEfQjZQ+S+KZJOD+LYMJ9A6QMpCaiFWpEFepV41lQ2+HEHZBSIi8nwb2uDVWbNCrj8IkMzoOycivg= Received: by 10.54.27.53 with SMTP id a53mr5114100wra; Sat, 27 Aug 2005 20:18:01 -0700 (PDT) Received: by 10.54.124.11 with HTTP; Sat, 27 Aug 2005 20:18:01 -0700 (PDT) Message-ID: Date: Sat, 27 Aug 2005 22:18:01 -0500 From: Nikolas Britton To: "freebsd-questions@auscert.org.au" In-Reply-To: <200508280228.j7S2Sfx0052319@app.auscert.org.au> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: <43110754.6010608@nawcom.no-ip.com> <200508280228.j7S2Sfx0052319@app.auscert.org.au> Cc: nawcom , freebsd-questions@freebsd.org Subject: Re: Illegal access attempt - FreeBSD 5.4 Release - please advise X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 28 Aug 2005 03:18:03 -0000 On 8/27/05, freebsd-questions@auscert.org.au wrote: > > if this server was used by 100+ people i would of course not have such = a > > harsh security script set up. everyone who uses it has great experience > > and understands the consequences. like i said before, this is usually > > for personal use and has about 12 users total. if this was used to > > manage ssh on something big i would lower the security measures. > > > > hope you can understand some now :) >=20 > Certainly. However, given that you are willing to accept (risk?) 5 attemp= ts > at a legitimate account I don't believe there would be any greater risk > in allowing the same for invalid accounts also, given that the likelihood > of gaining access to those is actually less - and it would make your scri= pt > simpler, too, whilst preventing the (albeit, unlikely in your situation) > possibility of a DoS to a valid user. To be honest, reversing your logic > somewhat wrt valid/invalid accounts and 1/5 attempts could have merit als= o. >=20 > That said, I'd be interested in seeing how you implement this with swatch > as I'm looking at log parsing solutions in general. >=20 I'd like to see it too, my logs are filled with brute force ssh login attempts. I'd like something like... x attempts in y time blocks source IP (or class c block etc.) for z hours.