[nycbug-talk] Analyzing malicious SSH login attempts

[Isaac Levy]

Hi All,

Some SSH food for thought,

On Sep 12, 2006, at 2:54 PM, csnyder wrote:

>> I think parsing logs and injecting rules is just plain ridiculous.
>> Especialy using 3rd party languages not native to your OS. Its just
>> more custom stuff to re-implement on the next os rebuild.
>
> Look, I know it's ridiculous, but it's also more portable (for now)  
> than pf.

Forgive my possible naiveté, but how does any ssh/packet-filter  
incorporation strategy really secure anything, big picture  
(regardless of the implementation)?

What happens when ssh passwords come under distributed dictionary  
attack by a botnet (many IP addresses)?  Wouldn't it render the  
filter moot, and perhaps even create a resource attack as a side  
effect of dynamically loading gargantuan filter rulesets?

What happens when an attacker spoofs the IP addresses you use, with  
the effect of blocking you from your own systems?

--
Additionally, what happens when SSH itself meets it's inevitable zero- 
day (could be tomorrow, could be 50 years from now)?  Doesn't any  
complicated intermingling with other parts of the system make ssh  
that much more difficult and error prone to replace quickly?

I'm not lookin' to pick a flame-fight, I'm just discussing, and I  
feel many packet-filter strategies give a false sense of security.   
Convince me it's a sane strategy, and I'll likely go implement it  
tomorrow :)

Rocket-
.ike