Date: Tue, 14 Nov 2006 20:54:14 +0100 From: Erik Norgaard <norgaard@locolomo.org> To: "Leo L. Schwab" <ewhac@best.com> Cc: freebsd-questions@freebsd.org Subject: Re: Blocking SSH Brute-Force Attacks: What Am I Doing Wrong? Message-ID: <455A1EE6.3020504@locolomo.org> In-Reply-To: <20061114092045.GB3207@best.com> References: <20061113060528.GA7646@best.com> <4558D2A3.50904@locolomo.org> <20061114092045.GB3207@best.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Leo L. Schwab wrote: > On Mon, Nov 13, 2006 at 09:16:35PM +0100, Erik Norgaard wrote: >> Honestly, I wouldn't worry about it: review your config and make some >> simple choices to reduce the noise, see this article: >> >> http://www.securityfocus.com/infocus/1876 >> > But I rather thought that was the point of 'bruteblock' -- it > reduces the noise by blackholing the offending IPs for an hour or so. This > blackholing doesn't appear to be happening, and I don't understand why. > > Could it be a permission problem -- syslog doesn't have permission > to change the firewall rules? I wouldn't worry about "bruteblock" - try create a perl script and see if you can see a system in the attacks: Do the same host come back? If so does it continue from where it left? The annoyance of these brute force attacks is that your log is larger that it would be without them. That is unless ofcourse you have made yourself vulnerable! - do you use bad passwords? - do you allow root login? - have you disabled system accounts? If the answers are no, no and yes, then you can largely ignore. For more on this - read the linked article, read the old thread. Cheers, Erik -- Ph: +34.666334818 web: http://www.locolomo.org X.509 Certificate: http://www.locolomo.org/crt/8D03551FFCE04F0C.crt Key ID: 69:79:B8:2C:E3:8F:E7:BE:5D:C3:C3:B1:74:62:B8:3F:9F:1F:69:B9
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?455A1EE6.3020504>