[nycbug-talk] Analyzing malicious SSH login attempts
ike at lesmuug.org
Wed Sep 13 13:25:22 EDT 2006
Some SSH food for thought,
On Sep 12, 2006, at 2:54 PM, csnyder wrote:
>> I think parsing logs and injecting rules is just plain ridiculous.
>> Especialy using 3rd party languages not native to your OS. Its just
>> more custom stuff to re-implement on the next os rebuild.
> Look, I know it's ridiculous, but it's also more portable (for now)
> than pf.
Forgive my possible naiveté, but how does any ssh/packet-filter
incorporation strategy really secure anything, big picture
(regardless of the implementation)?
What happens when ssh passwords come under distributed dictionary
attack by a botnet (many IP addresses)? Wouldn't it render the
filter moot, and perhaps even create a resource attack as a side
effect of dynamically loading gargantuan filter rulesets?
What happens when an attacker spoofs the IP addresses you use, with
the effect of blocking you from your own systems?
Additionally, what happens when SSH itself meets it's inevitable zero-
day (could be tomorrow, could be 50 years from now)? Doesn't any
complicated intermingling with other parts of the system make ssh
that much more difficult and error prone to replace quickly?
I'm not lookin' to pick a flame-fight, I'm just discussing, and I
feel many packet-filter strategies give a false sense of security.
Convince me it's a sane strategy, and I'll likely go implement it
More information about the talk