* Michael Tautschnig <[EMAIL PROTECTED]> [2008-08-21 09:24-0400]: > > * Michael Tautschnig <[EMAIL PROTECTED]> [2008-08-21 07:35-0400]: > > > Hi all, > > > > > > since two days (approx.) I'm seeing an extremely high number of apparently > > > coordinated (well, at least they are trying the same list of usernames) > > > brute > > > force attempts from IP addresses spread all over the world. I've got > > > denyhosts > > > and an additional iptables based firewall solution in place to mitigate > > > these > > > since quite some time already and this seems to do the trick in terms of > > > blocking them fairly quickly. > > > > I hope you are aware that its very trivial for a non-privileged user > > on your system to issue a logger command to trigger a denyhosts DOS to > > lock out anyone they want. > > > > Hmm, no, not really - how would that work?
fail2ban and denyhosts watch log files for repeat failed ssh authentication attempts from particular ips. Its quite trivial for a non-privileged user to add entries to your logfiles using the syslog facilities (try it yourself using 'logger'). You will quickly find that you can very simply craft a log message that would be picked up by these programs and be able to block an IP of your choosing. micah -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
