Re: block_ssh_guessers

On Thu, 27 Apr 2006, in the Usenet newsgroup comp.os.linux.security, in article
<pan.2006.04.27.21.51.27.713067@xxxxxxxxxxxxxx>, sudo namei wrote:

Well, remember we aren't talking about a "need" in any
performance-related sense of the word, but rather in the context of this
hypothetical exploit that someone else was [erroneously, I think]
claiming a port-knocking daemon could be vulnerable to.

OK - I was talking of "practical" implementations that I've seen in use.
Again, you need to define the threat model that is to be defended against.
If someone kicks of a Distributed Denial Of Service attack (DDOS) such
that your pipe to the world is full, that's one thing. It doesn't matter
if they are trying to knock over the fence around your SSH daemon, or are
the result of a vicious rumor that you have these wonderful pictures on
your web/ftp server of a St. Bernard wearing fish-net stockings being
assaulted by a dachshund wearing only an eye patch and white shirt. Most
"attacks" targeting SSH (and before that, telnet and the Berkeley 'r'
commands) that I've seen have been relatively unsophisticated stuff run
by skript kiddiez. Port scans, etc. tend to be slow - slower still when
the target hunkers down into "ignore" mode.

I haven't really played with logging data to pipes... Does the data "go
away" after some sort of handling, or does it continue to consume resources
(disk or memory) as additional events are added?

Depends on what you are doing with it. If you are just running the data
past a filter such as 'grep', then only the "selected" data remains and
that only if you aren't using -q. Even then, the remaining data only goes
to stdout of the command, and if nothing is watching that, it's gone.

OK, see, I assumed when I started reading this thread that we were all
going to be playing with big kids' toys... *grin* I haven't really put
my hands on any Windows-based firewall product that I would ever trust
in an Internet-facing scenario. Which is not to say that they might not
exist, I just haven't had the [dubious?] pleasure.

I'm not sure how much details you're going to see. Some of us are under
those nasty things called Non-Disclosure-Agreements - which is why I'm
posting from a residential account rather than work. As far as windoze
boxes go, I tend to agree with you - and most seem to be quite limited
in capability.

Suppose for example that you discovered that a large portion of your
Windows Popup message attempts were coming from an E-mail marketing
company.

Coming from? That would be difficult to prove. My opinion is that most, if
not all, source addresses are spoofed, and my _guess_ is that these are,
in reality, zombies on wide bandwidth hookups - such as windoze boxes on
cable networks. Back in November 2005, Matthias Leisi released a paper
titled "A day in the life of a spammer" (don't know if it's still at
http://matthias.leisi.net/archives/126-a-day-in-the-life-of-a-spammer.html)
indicating that was a main mechanism for _mail_ delivery of spam. (A
google search for "a-day-in-the-life-of-a-spammer" does turn up the page.)

Normally, the more productive technique is to "follow the money". This
means following the registrations of the sites being advertised. Another
hit on the same google search notes that many spammers use false names
and addresses, and a lot of the domains are 'throw-away'. When I looked
at this last June, _every_ domain advertised was registered no more than
fifteen days before being used in spam, and most of them no longer resolved
in October.

That could be very handy fodder for the lawyers to chew on... :)

Maybe, maybe not.

Old guy
.

Relevant Pages

  • Re: recommendations of natural anti inflammatories please
    ... there isn't any misunderstanding, you are spamming here, and in the ... never said you were chris - i showed who the owners of the spam ... spammer by any name is still a spammer... ... I am part of the sales and support staff of the Emu Farm and our ...
    (alt.support.arthritis)
  • Re: FA: Vintage stuff up for auction UK - loads more next week
    ... (Berlin Uni) ... So, some lazy, clueless buffoon puts up a simplified definition ... and you see that as a license to spam. ... odd years military service but none ever mentioned spammer. ...
    (sci.electronics.components)
  • Re: Spam
    ... >sent to them regarding spam. ... I was aware that ChinaNet Shanghai ran the ... scripting language the spammer is using. ... >also be spamming other sites which must add to network traffic. ...
    (comp.security.firewalls)
  • RE: Spamcop listed - need help to diagnose why
    ... >> Unfortunately in the spam game, it only matters if the spammer ... move on to the next server. ... >> strangeness when SA checks blacklists and such to assign scores. ...
    (freebsd-questions)
  • Re: given 5-year old Dell Poweredge 2300 server, SCO Unix, 2x9GB hDD - should I learn SCO or
    ... > Theo v. Werkhoven wrote: ... Don't use made up- or other people's domains as spam ... use an .invalid tld in stead. ... it is purely used for commercial and public registrations. ...
    (alt.os.linux.suse)
Loading