Menu
▾
▴
[Sshguard-users] Subject: Re: Username Blacklisting
|
From: Laurence P. (OE) <lpe...@op...> - 2015-05-15 15:58:15
|
Message-ID: <555...@gm...> > >> Having the option of scoring certain usernames as high danger > attempts, > >> or perhaps as danger 1+fractional multipliers, could be a clean way > to > >> implement such a feature. > > > > I hadn't thought of doing it that way, but that would likely be more > useful as you could > > use it to set up multiple, different levels of paranoia for > different users. Especially > > if you can use a fractional multiplier to effectively raise the > threshold for guest accounts > > and the like. > > How would this work? Raise the danger of the attack so that two > attempted logins with 'root' or similar usernames would be blocked? > How > would SSHGuard know which usernames to do this for? Would it be built > into the binary, or added as a configuration at run-time? > > (With your use case, why not just lower the blocking threshold?) > > Thanks, > Kevin Zheng It would pretty well have to be added as a configuration at runtime since the list of prohibited usernames would vary per system. My original thought was to have a list where even attempting to log in with one of the names resulted in an immediate block. E.g.: The root account on my machine is disabled. Anyone who even attempts to use it is necessarily an unauthorized attacker and should be blocked immediately. There is no reason to wait for them to try more than once (or even to let them finish the first attempt really). Same thing goes for various other account names that are commonly tested by attackers and that don't even exist on my machine. User accounts that do exist where someone could legitimately be having trouble remembering their password need to not lock the user out for fat-fingering their password a couple of times though. If the list were implemented as a "danger multiplier" then it could be calibrated so that root login attempts get blocked instantly, logins to my account get blocked after just a couple of attempts, and logins to some of my more absent-minded users get a little extra grace. It's probably not worth going to a lot of extra trouble to implement it this way, but if username blacklisting is easiest to do by adjusting the danger for listed accounts then reading a custom multiplier from the account list for each account wouldn't take much more effort. Just being able to blacklist accounts, however, would eliminate the vast majority of attackers as nearly all of them seem to hit the same list of default usernames. LMP |
