Menu
▾
▴
Re: [Sshguard-users] Subject: Re: Username Blacklisting
|
From: Kevin Z. <kev...@gm...> - 2015-05-15 16:14:48
|
On 05/15/2015 10:58, Laurence Perkins (OE) wrote: > It would pretty well have to be added as a configuration at runtime > since the list of prohibited usernames would vary per system. Perhaps a flat text file, with one username per line? > My original thought was to have a list where even attempting to log in > with one of the names resulted in an immediate block. E.g.: The root > account on my machine is disabled. Anyone who even attempts to use it > is necessarily an unauthorized attacker and should be blocked > immediately. There is no reason to wait for them to try more than once > (or even to let them finish the first attempt really). Same thing goes > for various other account names that are commonly tested by attackers > and that don't even exist on my machine. User accounts that do exist > where someone could legitimately be having trouble remembering their > password need to not lock the user out for fat-fingering their password > a couple of times though. Makes sense. Especially at the point which a user account (e.g. root) is disabled, any attempted login is certainly an attack. > If the list were implemented as a "danger multiplier" then it could be > calibrated so that root login attempts get blocked instantly, logins to > my account get blocked after just a couple of attempts, and logins to > some of my more absent-minded users get a little extra grace. It's > probably not worth going to a lot of extra trouble to implement it this > way, but if username blacklisting is easiest to do by adjusting the > danger for listed accounts then reading a custom multiplier from the > account list for each account wouldn't take much more effort. Just > being able to blacklist accounts, however, would eliminate the vast > majority of attackers as nearly all of them seem to hit the same list of > default usernames. Actually, most of the work is probably going to be extracting the username and passing it to the attack reporter. I'll start working on a proof-of-concept soon and keep you updated. Thanks, Kevin Zheng -- Kevin Zheng kev...@gm... | ke...@kd... | PGP: 0xC22E1090 |
