Menu
▾
▴
Re: [Sshguard-users] Blocking bots looking for vulnerable web apps
|
From: Hans F. N. <Han...@hi...> - 2009-04-22 09:49:43
|
* Mij <mi...@bi...> [2009-02-06]: > > On Feb 5, 2009, at 9:11 PM, Hans F. Nordhaug wrote: > > > * Forrest Aldrich <fo...@fo...> [2009-02-05]: > >> I have the same problem -- my method of blocking is visually > >> doing "tail -F access.log" and putting filters in. > >> > >> To use SSHGuard for this, you'd have to implement pattern > >> searches for the specific attacks... might be okay for a few, > >> annoying for more than that. I think something like > >> mod_security may help in this case (though I've never used it). > > > > Well, I don't think you have to do it that strict. I would say that if > > an IP is getting many 404 entries (maybe with the added condition of > > empty referrer) in very short time, it's likely to be a scanning > > attack. SSHGuard by default doesn't block for very long so if it was a > > legitime user hitting refresh like crazy, it wouldn't harm that much. > > I'm not quite convinced for 2 reasons: > 1) such rules appear quite "loose". I'm not sure this fits with the > conservative policy used so far to avoid false positives at the cost > of complexity. For example, crawlers issue a "GET /robots.txt" > which often results in a 404 and lacks a referer. On webservers > with plenty of vhosts a bunch of such requests within few minutes > may result in an undesired blocking. > > A solution can be to add to such conditions sensitivity to the > target filetype, and block only those involving dynamic scripts > like .php, .pl etc. > > > 2) Sshguard currently assumes that all attacks have the same > "density", that is, 4 attacks to ssh are "as dangerous" as 4 to > proftpd or anything else. This case breaks this assumption, as you > would require many more "404"s than login failures before > determining an abuse. > > A solution is either to define the conditions above "tight enough" > to raise the density of each attack, or to wait for me to > eventually implement the system based on scoring and threshold. Thx for your reply, michele, and sorry about not coming back to this issue before now. To me 1 isn't such a big problem - there are many ways to work around it. However, 2 is a real problem that I didn't think about. I clearly can't use the same "density" for SSH and HTTP. I think I'll wait for you ;-) I definetly think this would be a nice addition to SSHGuard, but I also realize that it might not make sense to extend SSHGuard to handle every thing. Maybe there are other tools out there that all ready do the job? I just happen to like SSHGuard. Regards, Hans |
