| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 28 Nov 2006 16:32:42 +0000
From: Tavis Ormandy <taviso@...too.org>
To: Thierry Zoller <Thierry@...ler.lu>
Cc: full-disclosure <full-disclosure@...ts.grok.org.uk>
Subject: Re: SSH brute force blocking tool
On Tue, Nov 28, 2006 at 05:14:28PM +0100, Thierry Zoller wrote:
> Dear Tavis,
>
> TO> J, you have made an attempt to fix it, but is is not sufficient.
> TO> An attacker can still add arbitrary hosts to the deny list.
>
> Can you propose a fix ? Apart from the aggressivness of this thread
> I find it interesting to read (from a tech standpoint).
openssh can be configured to log to btmp, I would suggest parsing this
file, it's format is documented in utmp(5).
I wouldnt use a shell script to do so, but I suppose you could use lastb
if you really wanted to, something like `lastb -ai ssh:notty | awk '{print $(NF)}'`.
I think increasing the codepaths that an unauthenticated attacker can
access is always going to be a bad idea, enforcing good password
policies via cracklib or jtr and just ignoring the minor irritation of
these automated attacks would be a safer bet.
Thanks, Tavis.
--
-------------------------------------
taviso@....lonestar.org | finger me for my pgp key.
-------------------------------------------------------
Content of type "application/pgp-signature" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists