Rudi Starcevic wrote:
How is this any better that just using an iptables/ipchains rule? The current Linux IP filtering system allows you to automatically block a host if that host connects to port X more than Y times in Z minutes. The nice thing is that it can also automatically unblock that host after some number of minutes/hours/days (for if the attacker was using a dynamic IP, so the IP is no longer a threat later).I use denyhosts[1] with success. http://denyhosts.sourceforge.net/I have to agree with Michael. This is the neatest, easiest to use solution I've found over the years. I sometime wonder how cool it would be if this Python code came build in with a standard Debian install ...........
The nice thing about this method is that, from what I can tell, as soon as the attacker tries for the Yth time, they get blocked. In other words, if the attacker is trying 300 name/passwd combinations every minute (5 per sec), and I've got my threshold set at 5 connections per 5 minutes, then the IP filter should block him after 1 second.
With denyhosts, I'd think that they wouldn't get blocked until the script goes and checks the logs again... possibly once per minute... allowing up to 300 attacks before blocking, instead of 5. Furthermore, if denyhosts is just adding the host to hosts.deny, then won't this only work for daemons that launched from inetd (or other hosts.deny-aware daemons)? Lastly, using ipchains/iptables stops the attacker at the socket, before any daemons are bothered with the attack, which should diminish any performance hit from the attack.
- Joe