-----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael Starks Sent: Sunday, January 01, 2006 10:06 AM To: Discussion about mythtv Subject: Re: [mythtv-users] ssh attack
[EMAIL PROTECTED] wrote: >You've missed the point. These types of packages don't look for >multiple attempts at a single user name. They simply watch the auth >logs and match failures to IPs. Once an IP has accumulated a certain >number of failures within a specified time period, that IP address is >temporarily added to a firewall table to block all further connections. >In your case, root/root is the first failure, mythtv/mythtv is the >second failure, etc. > >I use fail2ban to do the same thing. It's highly configurable so you >can adjust the rules to match almost any kind of log file. > > If the attacker uses a spoofed source IP of localhost, the server's IP, a configured DNS server, the Zap2it web site(s) or some other needed IP, that would be an effective DoS. If the intent is a DoS of some sort rather than an interactive login, the reply to the SSH SYN is not necessary. Are there any provisions in these tools to protect against these types of spoofing attacks? _______________________________________________ mythtv-users mailing list [email protected] http://mythtv.org/cgi-bin/mailman/listinfo/mythtv-users With DenyHost I'm pretty sure you can set the IP's that it is not to not block. DenyHost blocks ssh for an IP by default when there is a lot of failures to login. It can be changed to block 'all' though on failures. So you'll still be able to see the website, and you can ssh out to that box, but it can't ssh to you. "Let ye without segmentation fault cast the first int!" Korey Fort
_______________________________________________ mythtv-users mailing list [email protected] http://mythtv.org/cgi-bin/mailman/listinfo/mythtv-users
