[WBEL-users] kill ssh dictionary attacks

[khaqq]

On Thu, 23 Mar 2006 22:29:02 +1000
"Graham Waring" <liverbird89 at hotmail.com> wrote:

> G'day everyone,
> 
> Not just for whitebox but an email to pass on a link to a pretty cool python 
> app for many linux's.  Around this time last year this list was discussing 
> this very issue and I hope this comes in handy for at least one of you.  It 
> has always annoyed the cr at p out of me each morning as I go through the logs 
> on my linux servers to see attempted ssh connections using every username 
> under the sun as some person tries to guess my passwords (dream on) and 
> "own" my servers.  I have used port knocking which is really good and works 
> well, but I ssh to "lots" of remote linux boxes...and I just want to ssh in, 
> sometimes as quick as possible without executing a port knock sequence.  I 
> use it on whitebox, centos, suse, debian and aurora with no problems.  It 
> just works and when I see "connection refused" in the logs, I declare out 
> loud how good it is (even if nobody is listening).  Anyway, check out:
> http://www.howtoforge.com/preventing_ssh_dictionary_attacks_with_denyhosts
> I hope this is of some use to those who are suffering from the over night 
> ssh attempts.
> Sorry if this list is supposed to be whitebox only related chat, I am just 
> passing on something that may help.
> 
> Cheers
> Graham

Hi Graham and list,

Interesting tool, to say the least. The synchronisation mode looks especially
useful. However, if I was in the business of breaking ssh boxes using
dictionary attacks, I would use a botnet as proxy, making detection harder
(but not impossible).
Using denyhosts is akin to using an antivirus on Win32 boxes : you're well
protected against known virii, but not at all against a new outbreak. Your
defense lags the attack, and there is still a period during which you're
vulnerable.
The knockd daemon, while still imperfect IMHO, provides a better protection,
but maybe that's just me.

Cheers

khaqq