Re: What to do about SSH brute force attempts?
* Michael Tautschnig <firstname.lastname@example.org> [2008-08-21 09:24-0400]:
> > * Michael Tautschnig <email@example.com> [2008-08-21 07:35-0400]:
> > > Hi all,
> > >
> > > since two days (approx.) I'm seeing an extremely high number of apparently
> > > coordinated (well, at least they are trying the same list of usernames) brute
> > > force attempts from IP addresses spread all over the world. I've got denyhosts
> > > and an additional iptables based firewall solution in place to mitigate these
> > > since quite some time already and this seems to do the trick in terms of
> > > blocking them fairly quickly.
> > I hope you are aware that its very trivial for a non-privileged user
> > on your system to issue a logger command to trigger a denyhosts DOS to
> > lock out anyone they want.
> Hmm, no, not really - how would that work?
fail2ban and denyhosts watch log files for repeat failed ssh
authentication attempts from particular ips. Its quite trivial for a
non-privileged user to add entries to your logfiles using the syslog
facilities (try it yourself using 'logger'). You will quickly find
that you can very simply craft a log message that would be picked up
by these programs and be able to block an IP of your choosing.