Re: Attacks on ssh port

From: David D.W. Downey (
Date: 09/19/04

  • Next message: Willem Jan Withagen: "Re: Attacks on ssh port"
    Date: Sat, 18 Sep 2004 18:04:45 -0400
    To: Willem Jan Withagen <>

    > >On Sat, 18 Sep 2004 14:18:32 +0200, Willem Jan Withagen <> wrote:
    > It is not about all this. I know these, and I use them if appropriate.
    > (Come to think of it, I was one of the first externals to test Wietse
    > Venema's TCP-wrapper.)
    > Once I have identified the nature and quality of this type of problem,
    > I want to deal with it in such a way that it is no longer a bother. And
    > in this particular case these records are clogging my login error
    > records. And because of that I just might miss out on the one or two
    > that do matter. You might want to call it noise-reduction, and I'm
    > looking for a as large as possible Signal/Noise ratio.
    > So that is why I would like to be able to throw root/ssh login attempts
    > directly in the garbage and kill the host where these are coming from
    > with a records in my firewall.

    OK, was a simple suggestion. (no derogatory tone meant). I will say
    this much. adding each individual host that scans your machine
    instantly to your firewall WILL end up killing your machine due to
    lookups if this is in place during any large scan or direct port

    I do think you're being overly concerned about your log entries since
    this is *exactly* what the system is *supposed* to do, log the entries
    for further use by the admin if needed. There is no signal to noise
    reduction gained, since what you consider noise is what the system is
    *designed* to do. If you want to reduce the number of entries then
    reduce the # of entries it logs (aka when you enable the verbose_limit
    count it won't log any more than that number of attempts from a host.
    So set it to 2 or even 1 (i would suggest 2 so you only get what
    should be considered a bona fide failure) )

    If you want to enable firewalling based on that information then
    you're going to have to write a custom script to cull the information
    from the logfiles or enable some ports NIDs, or 3rd party NIDS to do
    this for you. (Such as maybe portsentry and hostsentry for a basic
    choice option set)

    Hopefully this helps.

    David D.W. Downey
    _______________________________________________ mailing list
    To unsubscribe, send any mail to ""

  • Next message: Willem Jan Withagen: "Re: Attacks on ssh port"