Re: [Full-disclosure] SSH brute force blocking tool

From: Tavis Ormandy <taviso@xxxxxxxxxx>
Date: Tue, 28 Nov 2006 16:32:42 +0000

On Tue, Nov 28, 2006 at 05:14:28PM +0100, Thierry Zoller wrote:

Dear Tavis,

TO> J, you have made an attempt to fix it, but is is not sufficient.
TO> An attacker can still add arbitrary hosts to the deny list.

Can you propose a fix ? Apart from the aggressivness of this thread
I find it interesting to read (from a tech standpoint).

openssh can be configured to log to btmp, I would suggest parsing this
file, it's format is documented in utmp(5).

I wouldnt use a shell script to do so, but I suppose you could use lastb
if you really wanted to, something like `lastb -ai ssh:notty | awk '{print $(NF)}'`.

I think increasing the codepaths that an unauthenticated attacker can
access is always going to be a bad idea, enforcing good password
policies via cracklib or jtr and just ignoring the minor irritation of
these automated attacks would be a safer bet.

Thanks, Tavis.

--
-------------------------------------
taviso@xxxxxxxxxxxxxxxx | finger me for my pgp key.
-------------------------------------------------------

Attachment: pgpYdEobb1hpl.pgp
Description: PGP signature

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

References:
- [Full-disclosure] SSH brute force blocking tool
  - From: J. Oquendo
- Re: [Full-disclosure] SSH brute force blocking tool
  - From: Tavis Ormandy
- Re: [Full-disclosure] SSH brute force blocking tool
  - From: Thierry Zoller
- Re: [Full-disclosure] SSH brute force blocking tool
  - From: J. Oquendo
- Re: [Full-disclosure] SSH brute force blocking tool
  - From: Tavis Ormandy
- Re: [Full-disclosure] SSH brute force blocking tool
  - From: J. Oquendo
- Re: [Full-disclosure] SSH brute force blocking tool
  - From: Tavis Ormandy
- Re: [Full-disclosure] SSH brute force blocking tool
  - From: Thierry Zoller

Prev by Date: Re: [Full-disclosure] SSH brute force blocking tool
Next by Date: Re: [Full-disclosure] Sasser
Previous by thread: Re: [Full-disclosure] SSH brute force blocking tool
Next by thread: Re: [Full-disclosure] SSH brute force blocking tool
Index(es):
- Date
- Thread

Relevant Pages

security patches
... >of "updates" that claim to fix a problem with a program ... many downloads claim to fix a security ... >problem where "an attacker" can gain control of your ... >Microsoft updates and not "the attacker" gaining control ...
(microsoft.public.windowsxp.security_admin)
Re: [Full-disclosure] More information on ZERT patch for ANI 0day
... Gadi Evron wrote: ... it doesn't fix the flawed copy routine. ... I'm thinking that an attacker with write access to %systemroot% probably ...
(Full-Disclosure)
Re: [Full-disclosure] SSH brute force blocking tool
... TO> J, you have made an attempt to fix it, but is is not sufficient. ... TO> An attacker can still add arbitrary hosts to the deny list. ... Hosted and sponsored by Secunia - http://secunia.com/ ...
(Full-Disclosure)
security patches
... of "updates" that claim to fix a problem with a program ... problem where "an attacker" can gain control of your ... Microsoft updates and not "the attacker" gaining control ...
(microsoft.public.windowsxp.security_admin)
security patches
... >of "updates" that claim to fix a problem with a program ... >problem where "an attacker" can gain control of your ... >Microsoft updates and not "the attacker" gaining control ...
(microsoft.public.windowsxp.security_admin)