ssh brute force attacks 3205

Michael Heiming

OK. It "introduces" a highly unlikely and difficult to execute DOS method.

So my point is that blocking the ip's of failed logins for a small period of time is perfectly reasonable. It's highly unlikely that anyone would try to employ this method after their legitimate ip had been locked out by it, because most such failures are from autonomous scripts and any non-scripted or human observed attack is unlikely to turn around and seek revenge because they were blocked. If someone is twisted enough to do so, it isn't going to be easy to anticipate the reaction of sshd MaxStartup, which they need to blindly get by to trigger the other failed login blocker. That's going to be really, really hard to do so with a spoofed ip, with no real way to tell if it was successful. If their mind is set on revenge, or their original intent was to DOS you, they are much more likely to use other methods.

ssh brute force attacks 3206
buttuming you know my home machine's address and buttuming my filter is going to dumbly add that? Both buttumptions seem farfetched to me - and again, even if I did blindly let my...

In short, I think this is silly. There is no reason in the world not to block excessive failed logins. You do need to release the block after some small period of time because of the reality of dynamic addresses, but if you see the same address over and over, you could certainly make that time longer and longer.

All you are doing is adding an extension to what MaxStartups is doing at most sites anyway. It's absolutely no different, and it's done for the same reason. The only difference is that you get a chance to maintain some state information that could lead to longer blocks.

-- Tony Lawrence

List | Previous | Next

ssh brute force attacks 3206

Linux groups from Newsgroups

The #1 Usenet Provider on the Internet

ssh brute force attacks 3204

PLEX86 x86- Virtual Machine (VM) Program


	Plex86 \| CVS \| Mailing List \| Download \| Linux \| Newsgroups

		ssh brute force attacks 3205 Michael Heiming OK. It "introduces" a highly unlikely and difficult to execute DOS method. So my point is that blocking the ip's of failed logins for a small period of time is perfectly reasonable. It's highly unlikely that anyone would try to employ this method after their legitimate ip had been locked out by it, because most such failures are from autonomous scripts and any non-scripted or human observed attack is unlikely to turn around and seek revenge because they were blocked. If someone is twisted enough to do so, it isn't going to be easy to anticipate the reaction of sshd MaxStartup, which they need to blindly get by to trigger the other failed login blocker. That's going to be really, really hard to do so with a spoofed ip, with no real way to tell if it was successful. If their mind is set on revenge, or their original intent was to DOS you, they are much more likely to use other methods. ssh brute force attacks 3206 buttuming you know my home machine's address and buttuming my filter is going to dumbly add that? Both buttumptions seem farfetched to me - and again, even if I did blindly let my... In short, I think this is silly. There is no reason in the world not to block excessive failed logins. You do need to release the block after some small period of time because of the reality of dynamic addresses, but if you see the same address over and over, you could certainly make that time longer and longer. All you are doing is adding an extension to what MaxStartups is doing at most sites anyway. It's absolutely no different, and it's done for the same reason. The only difference is that you get a chance to maintain some state information that could lead to longer blocks. -- Tony Lawrence List \| Previous \| Next



		ssh brute force attacks 3206 Linux groups from Newsgroups The #1 Usenet Provider on the Internet ssh brute force attacks 3204