Re: [Sshguard-users] Username Blacklisting

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

On Fri, May 08, 2015 at 12:20:46PM -0500, Kevin Zheng wrote:
> On 05/08/2015 11:51, Laurence Perkins (OE) wrote:
> > While we're discussing potential new features, I've noticed that nearly
> > all attackers hit the same list of default usernames (root, pi, ubuntu,
> > etc.)  It would be useful to be able to specify a list of usernames that
> > result in an immediate block without waiting for the login to fail.
> > (Processing the login attempt uses a not-insignificant amount of CPU on
> > low-end machines like a Raspberry Pi.  Blocking the connection
> > immediately would save quite a bit.)
> 
> Sounds interesting, especially with the use case you describe (running
> on a Raspberry Pi). Have you taken a look at OpenSSH settings like
> AllowUsers or DenyUsers? Do those incur the same CPU penalty?
> 
> This sounds useful; I'll start poking around soon.

Having the option of scoring certain usernames as high danger attempts,
or perhaps as danger 1+fractional multipliers, could be a clean way to
implement such a feature.

Richard

Re: [Sshguard-users] Username Blacklisting

Intelligently block brute-force attacks by aggregating system logs

Re: [Sshguard-users] Username Blacklisting