Re: Full-disclosure Digest, Vol 7, Issue 4

["Bardus Populus" <disclosure () wykkyd securecoffee com>]

Previously on Full Disclosure:
> ------------------------------
>
> Message: 9
> Date: Fri,  2 Sep 2005 05:53:04 -0400
> From: "Pedro Hugo  " <fractalg () highspeedweb net>
> Subject: Re: [Full-disclosure] SSH Bruteforce blocking script
> To: <full-disclosure () lists grok org uk>
> Message-ID: <200509020553.AA4522138 () highspeedweb net>
> Content-Type: text/plain; charset=us-ascii
>
> Hi,
>
> > I don't want to debate the goodness or badness of the strategy of
> > blocking hosts like this in /etc/hosts.deny. It works perfectly for me,
> > and most
> > likely would for you, so no religious debates thanks. It's effective at
> > blocking bruteforce attacks. If a host EXCEEDS a specified number of
> > guesses
> > during the (configurable) 30 seconds it takes the script to cycle, the
> > host is blacklisted.
>
> Why are you doing this the wrong way ? You should whitelist hosts, instead
> blacklisting them.
> Unless you have administrative reasons for such decision, hosts.deny
> should be set to ALL:ALL, and you should allow specifically in
> hosts.allow.
> This way everything is dropped by default. Tcpwrappers should be
> configured the same way a firewall is, unless there is something against
> it.
> Even if you have customers who need remote access, adding a few ip's is
> much better than having open by default.
> Kind Regards,
> Pedro Hugo
Occasionally they do let, nay force, admins out of server closets, for
health, or business, reasons.

Though I cannot speak for the OP directly, I submit that I travel often
for business and cannot predict with any authority whether I am going to
have a particular IP as a source with sufficient prescience to enter it
into a whitelist before I leave.

Between hotels and hosting organizations my IP varies radically, and due
to their addressing and name assignment schemes, I may even not have a
hostname choice (particularly a FQDN), so the static hostname option is
out also (for hosts.allow).

Since it is not acceptable for me to simply not have the ability to SSH
into my servers when on the road, this is a solution that would work in
part for me (though I have moved SSH to another port, it still receives
"traffic" - just luckily not of the brute force login type as yet) and
would potentially help out others in a similiar situation.

-bp
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/