Re: [psad-discuss] Brute force attacks and statistics

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

On Monday 30 March 2009 07:14:15 Michael Rash wrote:
> On Mar 28, 2009, Eli Wapniarski wrote:
> 
> > On Saturday 28 March 2009 17:40:51 Vernon Webb wrote:
> > > Last week I got this message from this list about denyhosts, which I
> > > which I have known about some time ago as it is a great little program.
> > > What I would like to know is there a program or can denyhosts be
> > > configure to do the same thing for ftp attacks? Thanks
> > > 
> > >  
> > It would seem that it is only good for ssh. I will be looking into fail2ban.
> 
> Just a quick note on this thread - sure, denyhosts and fail2ban have
> similar features - log parsing and subsequent blocking when bad things
> are seen, but this implies two things:
> 
> - Any service protected by fail2ban or denyhosts is easily scanned for
> by nmap since the default is still to allow arbitrary IP addresses to
> communicate with the daemon.  And, with denyhosts, even after an IP is
> "blocked", it is possible to scan for the service from the blocked IP
> because tcpwrappers is used instead of a kernel level filtering
> mechanism such as iptables or ipfw.  It doesn't look like fail2ban has
> this particular limitation since it supports iptables for blocking, but
> the fact remains that until an IP is blocked nmap will be quite
> effective at server discovery.
> 
> - The added security is only realized if an attacker (who can easily
> find the service per the above) happens to trigger something in the
> application that causes a warning log message to be generated.  This
> typically means looking for failed login attempts and applying
> thresholds to these attempts.  This is useful as far as it goes, but
> when was the last time a vulnerability was announced in sshd or some
> ftp server implementation that had a weak password at its core?  What
> I'm personally more concerned about is the possibility that a well-armed
> adversary might know an exploit against the version of whatever service
> I'm running that has nothing to do with passwords.  The very act of
> advertising the ability to talk to userland daemon presents a
> potentially juicy target to an attacker.  This is why I run sshd behind
> fwknop.  This is certainly not an option for all deployments, but
> getting past bad passwords is easy by choosing them properly - getting
> past a real vulnerability is a lot harder - especially a zero-day.
> 

This of course assmumes that a fwknop client can be installed on a client that needs access to ssh services. Or for that matter that its actually desireable to do that. However, if you are giving limited access to only certain machines and the best assuarance is possible then indeed not only is it desireable, it is recommended. Be that as it may, having psad configured to the defauilt very high threshold can be changed to a much much lower threshold. And any port that is not automatically blocked by my firewall is manually blocked like dns access from the outside. These measures while lacking the added security and benefit of fwknop should help mitigate (not entirely) the threat. And yes, fail2ban can use iptables for most services monitored. Which I'm looking into now.

Thank you for the pointer. It is useful for sure.

Eli

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.