Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: SSH Bruteforce blocking script

From: "Pedro Hugo " <fractalg () highspeedweb net>
Date: Fri, 2 Sep 2005 05:53:04 -0400
Hi,


I don't want to debate the goodness or badness of the strategy of
blocking hosts like this in /etc/hosts.deny. It works perfectly for me,
and most
likely would for you, so no religious debates thanks. It's effective at
blocking bruteforce attacks. If a host EXCEEDS a specified number of
guesses
during the (configurable) 30 seconds it takes the script to cycle, the
host is blacklisted.



Why are you doing this the wrong way ? You should whitelist hosts, instead blacklisting them.
Unless you have administrative reasons for such decision, hosts.deny should be set to ALL:ALL, and you should allow 
specifically in hosts.allow.
This way everything is dropped by default. Tcpwrappers should be configured the same way a firewall is, unless there is 
something against  it. 
Even if you have customers who need remote access, adding a few ip's is much better than having open by default.
Kind Regards,
Pedro Hugo
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: