Walter <[email protected]> wrote: > Aggelos Economopoulos wrote: > > Because > > a) such a mechanism could be used for DoS attacks on the system itself > [...] > I don't understand how blocking an IP that has had > a hundred failed login attempts in the last ten > minutes could create a DoS hole...
Depending on the way how the errors are parsed and handled exactly, an attacker could spoof some name or address that is important to you (e.g. your own IP address, or the address of your DNS server, or your uplink gateway, or ...). Not good. Admittedly it is very difficult to spoof the source IP address in the case of SSH connection attempts, at least if the attacker needs to go farther than just the inital TCP handshake, but still there might be other pitfalls involved. Spoofing DNS names is trivial, by the way, so you should never rely on that. In general, if you install any automatism that blocks something (or some other destructive action), you should know exactly what you're doing. Personally I would never do something like that, even though I think I have a fairly good understanding of TCP/IP and networking in general. > What if someone hacked an account and started trying > to gain root access? You mean when you have a machine with many untrusted shell accounts? In that case you should use something like jails or similar security measures. > Aren't there ways to tell you've > got a hacker online before he/she compromises your > system? It seems like a good thing to know. Yet, as > I must admit, I have no idea what tools are in place > which might be used to gage this. The heuristics may > not be trivial, but could be developed... I was just > wondering why no one had tried it. Actually there are many good books about security, and online tutorials, howtos etc. Maybe you should google a bit. There are already many things you can do to proactively secure your system, and to monitor for possible security breaches. This topic is probably much to broad for a mailinglist like this, so I don't even try to start enumerating things. > I just thought that I'd like a tool that once I got some > definable failed login attempts that I'd like the computer > to automatically shunt the source IP for a while. You don't really gain anything by doing that. And you don't have to do that at all if you have secured your system reasonably. Best regards Oliver -- Oliver Fromme, secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing b. M. Handelsregister: Registergericht Muenchen, HRA 74606, Geschäftsfuehrung: secnetix Verwaltungsgesellsch. mbH, Handelsregister: Registergericht Mün- chen, HRB 125758, Geschäftsführer: Maik Bachmann, Olaf Erb, Ralf Gebhart FreeBSD-Dienstleistungen, -Produkte und mehr: http://www.secnetix.de/bsd
