Prev-20 Home Next-20 1 msg Re: Digest of gentoo-user issue 1419 (76128-76177) 1 msg adding python module SSH brute force attacks and blacklist.py \ Steve (27 Feb 2008) . \ 7v5w7go9ub0o (27 Feb 2008) . . \ 7v5w7go9ub0o (27 Feb 2008) . \ Alan McKinnon (27 Feb 2008) . \ Justin (27 Feb 2008) . \ Remy Blank (27 Feb 2008) . . \ Iain Buchanan (27 Feb 2008) . . \ Etaoin Shrdlu (28 Feb 2008) . . . \ Steve (28 Feb 2008) . . . . \ Willie Wong (28 Feb 2008) . \ Anno v. Heimburg (27 Feb 2008) . . \ Willie Wong (28 Feb 2008) 13 msg Renaming tons of files 3 msg broken portage 2 msg how to update just one package ? 5 msg Links within HTML-pages not working any more in... 1 msg Gtk-Message: Failed to load module 'gnomebreakpad' 4 msg pwdb, pam and safe to remove? 4 msg System locale charset is ANSI_X3.4-1968 2 msg Re: Digest of gentoo-user issue 1418 (76078-76127) 2 msg problem with kernel and net-wireless/linux-wlan-ng 5 msg Emacs and info dir 9 msg killing gnome light - pathetic cry for help. 1 msg nspluginwrapper 10 msg Suspend/Hibernate on Dell Inspiron 6000 11 msg Switch between sound cards? 1 msg libtool-1.5.26 on amd64 Fails to build 4 msg Why is port 9090 open? 1 msg Re: Digest of gentoo-user issue 1417 (76028-76077) Prev-20 Home Next-20

Prev-Msg Prev-Thread Gentoo-user Feb-2008 Next-Thread Next-Msg Subject: Re: Re: SSH brute force attacks and blacklist.py Group: Gentoo-user From: Willie Wong Date: 28 Feb 2008 On Wed, Feb 27, 2008 at 10:39:15PM +0100, Penguin Lover Anno v. Heimburg squawked: > It limits the number of new connections on each port in > INPUT_LIMITER_TCPPORTS from any individual host to INPUT_LIMITER_COUNT > within INPUT_LIMITER_TIME. My experience suggests that finding the right INPUT_LIMITER_TIME would be difficult. From my experience (by reading the logs after I cobbled together a patch work solution to blacklist hosts), the typical behaviour of a sshd bruteforce attack, after you start dropping packets from it, is that it will begin to add a geometrically increasing sleep time between attempts and continue for about 30 minutes to an hour. So if your time parameter is on the order of several seconds, the attack will be like try, try, try, doh! connection timed out, wait a bit, try again, doh! still timed out, wait a bit longer, hey it works now, try, try , doh! time out again rinse and repeat. But if you set the time parameter to minutes or tens of minutes, then you risk banning yourself if you need multiple instances of ssh. (Yes, screen is nice, but sometimes I like to keep two terminals open. And there's always the case of "saving work, quitting, logging out; doh! forgot to do something, log back in again" scenario.) W -- When a clock is hungry it goes back four seconds. Sortir en Pantoufles: up 447 days, 14:54 -- gentoo-user mailing list Prev-Msg Prev-Thread Gentoo-user Feb-2008 Next-Thread Next-Msg

© 2004-2008 readlist.com