lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Fri Sep  2 17:22:58 2005
From: disclosure at wykkyd.securecoffee.com (Bardus Populus)
Subject: Re: Full-Disclosure Digest, Vol 7, Issue 4

Previously on Full Disclosure:
> ------------------------------
>
> Message: 9
> Date: Fri,  2 Sep 2005 05:53:04 -0400
> From: "Pedro Hugo  " <fractalg@...hspeedweb.net>
> Subject: Re: [Full-disclosure] SSH Bruteforce blocking script
> To: <full-disclosure@...ts.grok.org.uk>
> Message-ID: <200509020553.AA4522138@...hspeedweb.net>
> Content-Type: text/plain; charset=us-ascii
>
> Hi,
>
>>I don't want to debate the goodness or badness of the strategy of
>>blocking hosts like this in /etc/hosts.deny. It works perfectly for me,
>>and most
>>likely would for you, so no religious debates thanks. It's effective at
>>blocking bruteforce attacks. If a host EXCEEDS a specified number of
>>guesses
>>during the (configurable) 30 seconds it takes the script to cycle, the
>>host is blacklisted.
>>
>
> Why are you doing this the wrong way ? You should whitelist hosts, instead
> blacklisting them.
> Unless you have administrative reasons for such decision, hosts.deny
> should be set to ALL:ALL, and you should allow specifically in
> hosts.allow.
> This way everything is dropped by default. Tcpwrappers should be
> configured the same way a firewall is, unless there is something against
> it.
> Even if you have customers who need remote access, adding a few ip's is
> much better than having open by default.
> Kind Regards,
> Pedro Hugo
>
>
Occasionally they do let, nay force, admins out of server closets, for
health, or business, reasons.

Though I cannot speak for the OP directly, I submit that I travel often
for business and cannot predict with any authority whether I am going to
have a particular IP as a source with sufficient prescience to enter it
into a whitelist before I leave.

Between hotels and hosting organizations my IP varies radically, and due
to their addressing and name assignment schemes, I may even not have a
hostname choice (particularly a FQDN), so the static hostname option is
out also (for hosts.allow).

Since it is not acceptable for me to simply not have the ability to SSH
into my servers when on the road, this is a solution that would work in
part for me (though I have moved SSH to another port, it still receives
"traffic" - just luckily not of the brute force login type as yet) and
would potentially help out others in a similiar situation.

-bp

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ