ssh brute force attacks 3209

Peter T. Breuer we know for

For the umpteenth time, buttuming that the blocking script is stupid enough to add that particular ip address at all or leave the block in place for an extended period of time. Said it over and over again, but you keep ignoring that.

to

Because they are. It's EXTREMELY unlikely that anyone who was attempting a real break in is going to turn around and do a DOS attack. Most of these failed ssh brute force attacks are scripted or entirely autonomous.

But if someone does want to DOS you, they are going to do so anyway, whether or not you block failed logins. And I bet this wouldn't even be part of what they'd do, because simulating blind failed logins from multiple addresses isn't all that easy. You'd have to know, guess, or somehow algorithmetically determine my MaxStartups setting and I'm not even sure that can be done algorithmetically because it's a probability..

Your ARGUMENT is pointless, not the attack.

I doubt it. For the reasons stated above, this is extremely unlikely.

Just an example. Webserver, mailserver, music server - who cares? Why do you zero in on unimportant details yet ignore the big picture?

should

Just how are you observing my remote login ?????

situations. mechanism Y.

Right. But you keep ignoring that I'd never put X into Y's blocking script and that you are going to have an extraordinarily difficult time triggering this script doing it blind and trying to anticipate sshd's Max Startups. It's hard enough without a spoofed IP; I bet you'd waste a lot of time trying to do it and never even be sure you had succeeeded. If you wanted to DOS me, this is too much work - there are easier ways.

web

If you do somehow manage to deny me access to my public server, I simply reset my router and now I have a new IP. But as stated above, I doubt you could do that anyway. You definitely couldn't do it to me, because I'm going to reset the blocks anyway unless they are repeated offenders. And I'm never going to block my own ip address - that would be stupid.

to but

Then you aren't reading, are you? You are buttuming you know what is being said, and setting up strawmen that you gleefully tear apart.

denial

How else can I tell? Sheesh.. I keep a database of ip's I've recently blocked. I don't let it get very large, but I can compare it to what I've blocked even more recently and decide algorithmically whether or not to block them for a longer period this time.

console that -

Gawd, you really don't listen :-) Plus, you seem to be talking out of both sides of your mouth!

Look, we're talking about blocking IP's that have shown antisocial behavior. I unblock them after a period of time because they may be dynamic. But if they show up again too soon, they will get blocked for a longer period. Get it?

And how do you arrive at these addresses? By some mechanism or do you make them up? If it's by some mechanism, you could in theory be spoofed also, so you seem to be taking both sides of the argument!

hard

Ahh, abusive Peter is here again. We really nned that industrial sander. I suggest we start with a fairly rough grit - it may take a while to get down to the fine sandpaper..

Shall I say that you rather stubbornly refuse to notice the extreme difficulties of failing logins with a spoofed ip, and the reality that most if not all such login failures would be from real hacking attempts, most of which would be scripted?

No matter how many times I note these facts, you ignore them and construct the same straw man that you can knock down to show how foolish I am.

And most amazingly, apparently you block ip's yourself, which couldn't possibly be a manual process because you've already crowed "Too slow!" when you wrongfully buttumed that was what I was doing. One has to wonder just what YOU are talking about, Peter.

-- Tony Lawrence