Menu
▾
▴
Re: [SSHGuard-users] Query over 'double counting' attacks?
|
From: Jim S. <jse...@Li...> - 2018-04-20 17:41:20
|
On Fri, 20 Apr 2018 18:29:39 +0100 Karl Pielorz <kpi...@td...> wrote: [snip] > > The bigger annoyance is 99% of IP's don't seem to trip the blocks > (because they only try once or twice from a single IP and never > again) - I can't think of any simple way of handling that either. [snip] That's one weakness in a tool like sshguard. Using a bot farm, the attacker can spread the attack vector out all over Internet creation, and attempt from any given IP address just once every so many hours or days. There's no good way to counter that, other than making sshguard a *lot* smarter than it is. E.g.: Detect multiple failed attempts over N days, with zero successes, from a given IP address. That would of course require a very fast database. (Very fast in terms of lookups.) And it would probably increase the likelihood of sshguard, itself, becoming a DOS vector, if an attacker were so-inclined. In the end what really needs to happen is the hardening of client systems, including IoT devices, so they're no longer quite so easily turned into attack tools. Regards, Jim -- Note: My mail server employs *very* aggressive anti-spam filtering. If you reply to this email and your email is rejected, please accept my apologies and let me know via my web form at <http://jimsun.LinxNet.com/contact/scform.php>. |
