ssh brute force attacks 3203
Michael Heiming Pretty dumb script that blocks its own internal ip.. though in my case, internal IP's are already blocked outside of office hours. OK, but again: I don't agree that doing this...
Michael Heiming
I keep re-reading this, and looking at the context, and I'm just not following you. My failing, I'm sure, but could you be more specific?
Michael Heiming OK. It "introduces" a highly unlikely and difficult to execute DOS method. So my point is that blocking the ip's of failed...
I said in my other post in this thread, if it's after hours I disable the login entirely (though sshd is already set not to look for pbuttwords at all so that should never happen), but I do at least temporarily block ip's that keep hammering at me - I figure a couple of attempts might be an honest mistake, but a couple of hundred sure is not. I review the logs later, with the help of some scripts, and may decide to more permanently block certain ip's. I do two levels on that: once at the firewall to block all traffic, and once at the machine to specifically block ssh. I might take the firewall block off after a few weeks because it may be dynamic, but if it keeps coming back they get left there.
I just don't see how this is "introducing DOS attacks" - I'm not being argumentative; I just don't understand why you say this and am seeking education.
buttuming you know my home machine's address and buttuming my filter is going to dumbly add that? Both buttumptions seem farfetched to me - and again, even if I did blindly let...
How is blocking a specific IP more inducive to a DOS attack than just letting them hammer away at me? The latter seems more demanding of my resources, but maybe I'm just not understand you?
I also don't follow the "What if someone spoofs the IP?" What if they do? I'm not responding to those packets; I'm blocking them. So wouldn't the only DOS be syn floods? Or am I missing something more basic?
And that brings up another question. The things I've talked about above mostly apply to my home-office systems. My public website sits on an Interland shared BSD box, and although I do have root access and can affect my security to some extent, I mostly rely on *their* security, which is starting to worry me a bit. They don't necessarily react to security patches as quickly as I might, but on the other hand they may have reasons (which quite naturally they don't talk about) to know that a certain exploit doesn't apply to their servers even though I might think I'm at risk.
So what's the opinion? I've been thinking about moving my site to a dedicated server like oneandone.com where I can very specifically control everything, but that wouldn't give me any separate firewall such as I have with the shared server at Interland. Which is more likely to be more secure? I realize it's impossible to answer that authoritatevely because nobody but Interland knows what security provisions they add, but what's the gut impression?
-- Tony Lawrence
Linux groups from Newsgroups