Re: [Full-disclosure] SSH brute force blocking tool



On Tue, Nov 28, 2006 at 05:14:28PM +0100, Thierry Zoller wrote:
Dear Tavis,

TO> J, you have made an attempt to fix it, but is is not sufficient.
TO> An attacker can still add arbitrary hosts to the deny list.

Can you propose a fix ? Apart from the aggressivness of this thread
I find it interesting to read (from a tech standpoint).

openssh can be configured to log to btmp, I would suggest parsing this
file, it's format is documented in utmp(5).

I wouldnt use a shell script to do so, but I suppose you could use lastb
if you really wanted to, something like `lastb -ai ssh:notty | awk '{print $(NF)}'`.

I think increasing the codepaths that an unauthenticated attacker can
access is always going to be a bad idea, enforcing good password
policies via cracklib or jtr and just ignoring the minor irritation of
these automated attacks would be a safer bet.

Thanks, Tavis.

--
-------------------------------------
taviso@xxxxxxxxxxxxxxxx | finger me for my pgp key.
-------------------------------------------------------

Attachment: pgpYdEobb1hpl.pgp
Description: PGP signature

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Relevant Pages

  • security patches
    ... >of "updates" that claim to fix a problem with a program ... many downloads claim to fix a security ... >problem where "an attacker" can gain control of your ... >Microsoft updates and not "the attacker" gaining control ...
    (microsoft.public.windowsxp.security_admin)
  • Re: [Full-disclosure] More information on ZERT patch for ANI 0day
    ... Gadi Evron wrote: ... it doesn't fix the flawed copy routine. ... I'm thinking that an attacker with write access to %systemroot% probably ...
    (Full-Disclosure)
  • Re: [Full-disclosure] SSH brute force blocking tool
    ... TO> J, you have made an attempt to fix it, but is is not sufficient. ... TO> An attacker can still add arbitrary hosts to the deny list. ... Hosted and sponsored by Secunia - http://secunia.com/ ...
    (Full-Disclosure)
  • Re: [Full-disclosure] SSH brute force blocking tool
    ... J, you have made an attempt to fix it, but is is not sufficient. ... An attacker can still add arbitrary hosts to the deny list. ... Hosted and sponsored by Secunia - http://secunia.com/ ...
    (Full-Disclosure)
  • security patches
    ... of "updates" that claim to fix a problem with a program ... problem where "an attacker" can gain control of your ... Microsoft updates and not "the attacker" gaining control ...
    (microsoft.public.windowsxp.security_admin)