Date: Sat, 3 Oct 2009 11:03:29 +0100 From: krad <kraduk@googlemail.com> To: jruohonen@iki.fi, freebsd-hackers@freebsd.org Subject: Re: Distributed SSH attack Message-ID: <d36406630910030303j2e88046epa30f2a76b9ae1507@mail.gmail.com> In-Reply-To: <20091003081335.GA19914@marx.net.bit> References: <20091002201039.GA53034@flint.openpave.org> <4AC66E07.4030605@FreeBSD.org> <20091003081335.GA19914@marx.net.bit>
next in thread | previous in thread | raw e-mail | index | archive | help
2009/10/3 Jukka Ruohonen <jruohonen@iki.fi> > On Fri, Oct 02, 2009 at 05:17:59PM -0400, Greg Larkin wrote: > > You could set up DenyHosts and contribute to the pool of IPs that are > > attempting SSH logins on the Net: > > http://denyhosts.sourceforge.net/faq.html#4_0 > > While I am well aware that a lot of people use DenyHosts or some equivalent > tool, I've always been somewhat skeptical about these tools. Few issues: > > 1. Firewalls should generally be as static as is possible. There is a > reason > why high securelevel prevents modifications to firewalls. > > 2. Generally you do not want some parser to modify your firewall rules. > Parsing log entries created by remote unauthenticated users as root is > never a good idea. > > 3. Doing (2) increases the attack surface. > > 4. There have been well-documented cases where (3) has opened opportunities > for both remote and local DoS. > > Two cents, as they say, > > Jukka. > _______________________________________________ > freebsd-hackers@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-hackers > To unsubscribe, send any mail to "freebsd-hackers-unsubscribe@freebsd.org" > simplest this to do is disable password auth, and use key based.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?d36406630910030303j2e88046epa30f2a76b9ae1507>