Re: [psad-discuss] Brute force attacks and statistics
Brought to you by:
mbr
Menu
▾
▴
Re: [psad-discuss] Brute force attacks and statistics
|
From: Franck J. <fra...@dt...> - 2009-03-22 19:42:55
|
Hi, Sorry for the delay. [...] >> I will have a look, but at a first glance this one does not fit my >> needs. First, I do not worry about my ssh server since I use fwknop >> which works like a charm :) Then, I do not want to blacklist those >> ips. I want to collect them, check them against my others iptables >> logs and graph all that. If this is really needed, I could >> blacklist them afterwards. >> >> For example, what would the point to deny access to a dynamic ip >> address (like I use)? >> >> I use psad to add a DROP rule (with a timeout) to my ruleset since >> I want to end the current connection. >> >> I also think using /etc/hosts.deny to blacklist ips is not really >> useful since packets get through my iptables ruleset and the >> connection will end normally. I would prefer adding a DROP rule to >> my firewall, and manage my *bad guy list* myself. >> >> If anyone think I am wrong, please shout :) > > First off the brute force detectors can be set up to take care of ftp > as well. I think you're wrong. By the time you discover an attack it > could be too late So far, I have played with: + an update of Michael's scripts + fail2ban Both methods work fine, and I am able to ends the session automaticaly with psad when a large amount of tries have been done. (timeout 1h seems to be enough). > Most attacks come from dynamic IPs. Ok. With my data I could say at least one ip keeps trying every day but others do not. > What you can do is monitor the notices you get and determine if any > are coming from a permanent IP and then blacklist if proper > notification does not produce quiet. With these apps, you can set up > how long the block will last and then after lets say 24 hours or > whatever, the dynamic IP will have access again automagically. Or of > course the person on the other end can reset their internet > connection and should be able to have access that way, or you can > explicitly trust that IP. The computers that are infected with > whatever worm trying to brute force passwords would not try one IP > reboot and then try again. So automatically blocking would be most > effective way to protect your network. You would still be able to > monitor either with notifications that you recieve or through the > logs. And if you really want to continue to monitor those bad IPs you > could look denied IPs. It looks like this is what I am currently doing :) > With the brute force attack detectors, you can set up a whitelist not > blocking IPs that you trust. Psad already handles that through the auto_dl file. > While taking care of those attempting to gain unauthorized access to > your server. You wouldn't have to work so hard and you could move on > to better things. Thanks, > Eli -- Franck Joncourt http://debian.org - http://smhteam.info/wiki/ |
