[nycbug-talk] Analyzing malicious SSH login attempts

George Georgalis george at galis.org
Wed Sep 13 21:53:12 EDT 2006


On Wed, Sep 13, 2006 at 01:25:22PM -0400, Isaac Levy wrote:
>Hi All,
>
>Some SSH food for thought,
>
>On Sep 12, 2006, at 2:54 PM, csnyder wrote:
>
>>> I think parsing logs and injecting rules is just plain ridiculous.
>>> Especialy using 3rd party languages not native to your OS. Its just
>>> more custom stuff to re-implement on the next os rebuild.
>>
>> Look, I know it's ridiculous, but it's also more portable (for now)  
>> than pf.
>
>Forgive my possible naivet?, but how does any ssh/packet-filter  
>incorporation strategy really secure anything, big picture  
>(regardless of the implementation)?
>
>What happens when ssh passwords come under distributed dictionary  
>attack by a botnet (many IP addresses)?  Wouldn't it render the  
>filter moot, and perhaps even create a resource attack as a side  
>effect of dynamically loading gargantuan filter rulesets?
>
>What happens when an attacker spoofs the IP addresses you use, with  
>the effect of blocking you from your own systems?

UsePam No

lets you login from anywhere, using something
you have and something you know. and, ever try
connecting without your private key? good luck.

// George


-- 
George Georgalis, systems architect, administrator <IXOYE><



More information about the talk mailing list