Re: [psad-discuss] Brute force attacks and statistics
Brought to you by:
mbr
Menu
▾
▴
Re: [psad-discuss] Brute force attacks and statistics
|
From: Eli W. <el...@or...> - 2009-03-18 05:47:44
|
On Wednesday 18 March 2009 01:16:30 Franck Joncourt wrote: > >> I am currently running a ftp server on which one I keep an eye to > >> detect bad ips. > >> > >> All bots keep trying to connect without SSL whatever the error > >> message is. After a large amount of tries, I use *psad > >> --fw-block-ip* to ends the attacks. > >> > >> The only way I have found to track those offenders, is to keep the > >> email alerts in my mailbox since *psad -S* does not track them > >> after the timeout. > >> > >> How do you handle that? > >> > >> I would like to have statistics. > > > You should probably be using a brute force attack detector like > denyhosts. There are others. > > I will have a look, but at a first glance this one does not fit my > needs. First, I do not worry about my ssh server since I use fwknop > which works like a charm :) Then, I do not want to blacklist those ips. > I want to collect them, check them against my others iptables logs and > graph all that. If this is really needed, I could blacklist them afterwards. > > For example, what would the point to deny access to a dynamic ip address > (like I use)? > > I use psad to add a DROP rule (with a timeout) to my ruleset since I > want to end the current connection. > > I also think using /etc/hosts.deny to blacklist ips is not really useful > since packets get through my iptables ruleset and the connection will > end normally. > I would prefer adding a DROP rule to my firewall, and manage my *bad guy > list* myself. > > If anyone think I am wrong, please shout :) > First off the brute force detectors can be set up to take care of ftp as well. I think you're wrong. By the time you discover an attack it could be too late. Most attacks come from dynamic IPs. What you can do is monitor the notices you get and determine if any are coming from a permanent IP and then blacklist if proper notification does not produce quiet. With these apps, you can set up how long the block will last and then after lets say 24 hours or whatever, the dynamic IP will have access again automagically. Or of course the person on the other end can reset their internet connection and should be able to have access that way, or you can explicitly trust that IP. The computers that are infected with whatever worm trying to brute force passwords would not try one IP reboot and then try again. So automatically blocking would be most effective way to protect your network. You would still be able to monitor either with notifications that you recieve or through the logs. And if you really want to continue to monitor those bad IPs you could look denied IPs. With the brute force attack detectors, you can set up a whitelist not blocking IPs that you trust. While taking care of those attempting to gain unauthorized access to your server. You wouldn't have to work so hard and you could move on to better things. Eli -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. |
