Re: [psad-discuss] Brute force attacks and statistics

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

On Mar 28, 2009, Eli Wapniarski wrote:

> On Saturday 28 March 2009 17:40:51 Vernon Webb wrote:
> > Last week I got this message from this list about denyhosts, which I
> > which I have known about some time ago as it is a great little program.
> > What I would like to know is there a program or can denyhosts be
> > configure to do the same thing for ftp attacks? Thanks
> > 
> >  
> It would seem that it is only good for ssh. I will be looking into fail2ban.

Just a quick note on this thread - sure, denyhosts and fail2ban have
similar features - log parsing and subsequent blocking when bad things
are seen, but this implies two things:

- Any service protected by fail2ban or denyhosts is easily scanned for
by nmap since the default is still to allow arbitrary IP addresses to
communicate with the daemon.  And, with denyhosts, even after an IP is
"blocked", it is possible to scan for the service from the blocked IP
because tcpwrappers is used instead of a kernel level filtering
mechanism such as iptables or ipfw.  It doesn't look like fail2ban has
this particular limitation since it supports iptables for blocking, but
the fact remains that until an IP is blocked nmap will be quite
effective at server discovery.

- The added security is only realized if an attacker (who can easily
find the service per the above) happens to trigger something in the
application that causes a warning log message to be generated.  This
typically means looking for failed login attempts and applying
thresholds to these attempts.  This is useful as far as it goes, but
when was the last time a vulnerability was announced in sshd or some
ftp server implementation that had a weak password at its core?  What
I'm personally more concerned about is the possibility that a well-armed
adversary might know an exploit against the version of whatever service
I'm running that has nothing to do with passwords.  The very act of
advertising the ability to talk to userland daemon presents a
potentially juicy target to an attacker.  This is why I run sshd behind
fwknop.  This is certainly not an option for all deployments, but
getting past bad passwords is easy by choosing them properly - getting
past a real vulnerability is a lot harder - especially a zero-day.

Thanks,

--Mike

> Eli