ssh brute force attacks 3207

Peter T. Breuer and machine home is know

We are talking about two entirely different things here. On the one hand we have someone who deliberately wants to DOS me. On the other we have the blocking of an ip due to an apparent break in.

The first is pointless. If someone wants to DOS my webserver, they do NOT need to know my home ip address. If that's what they want to attack, there's not much I can do about it, is there? If you want to annoy me at home, you might observe a newsgroup post. Great, you've maybe got a dynamic Comcast address which will change the minute I power off their router. So MAYBE you could deny me access to my web server IF you buttume that my filtering and blocking is dumb enough to put its own public address into the block list. Which it isn't, but even if it were, again it is reset in the morning automatically.

The point of blocking the second clbutt (someone apparently trying to break in) is to add an additional barrier to their attempt. Maybe they started with ssh but are going to move on to something else after that. They shouldn't have much luck, but why NOT block them out totally? Again. it's only temporary, so if they were spoofing someone else's address that person would only be blocked for a while.

And then you say "what about an entire block?". I think that's highly unlikely unless someone IS trying to DOS me, and as I said, they can do that anyway, and if I really thought this was likely my software could look for such patterns and unblock earlier. But in any case, I'm going to drop these blocks after a few hours anyway because their purpose is to put up a barrier against an on-going attempt to break in.

Agreed. I think I've said that at least two or three times. Again, that wasn't the question. It was stated that automatically blocking ip's is a nice way of "introducing DOS attacks". I don't see that at all. If somebody WANTS to do a DOS attack on me or my web server or both, they surely can do so, but blocking ip's automatically doesn't particularly help them. You might get me to block out a bunch of IP's, as you said, but as I said, you'd only pull that trick on me once and then I'd rewrite my filters to look for patterns like that and accellerate the unblocking. I've never seen anything to make me think this is necessary, but it wouldn't be hard to do:

foreach blockedip

Not exactly beyond my admittedly poor coding skills.

But my bet is that if somebody wants to DOS me, they'll be coming at me six ways from Sunday anyway. I may be temporarily blocking some ip's I shouldn't, but my machine is probably being harried to rest on all fronts anyway so those falsely denied folk probably can't get to me at all. So I do not think the buttertion is at all valid.

denial

Huh? I'm too slow? What on earth do you mean? Do you think I sit here and review this stuff manually? Of course not: at a specific time, a script runs that does certain things, like re-allowing console login, allowing access from the local network, unblocking adresses that have been blocked overnight, etc. As I explained earlier, I have multiple layers of blocking in place and a lot of it overlaps. I'm execessively paranoid and compulsive about this stuff. For example, at a certain time, not even I can get to my home office box, unless I want to reboot it to single user mode and use both a bios and grub pbuttword. This keeps me in bed sleeping when I get tempted to go work in the middle of the night :-) But it is also yet another layer of protection - if outer layers fail, I might still survive.

I'm reminded of the attempt someone made 20 years ago to break in to our house. They attacked the cellar bulkhead door, because the exterior enclosure hid their activity from observation. Because I knew that, I had multiple locks on that door - five, to be precise, and they managed to break four of them, but the fifth kept them out. I apply the same concept to my machine security.

fast.

Huh?

You run an automatical denial scheme but you are defending the idea that one should not?

No wonder I'm confused.. which side of this are you taking?

-- Tony Lawrence