[Freedombox-discuss] Block brute force login attacks?
Joost van Baal-Ilić
joostvb-freedombox at mdcc.cx
Wed Mar 19 05:08:53 UTC 2014
Hi,
On Tue, Mar 18, 2014 at 11:32:49PM +0000, Philip Hands wrote:
> Petter Reinholdtsen <pere at hungry.com> writes:
>
> > Hi.
> >
> > On all my machines, I install denyhosts with a two hour timeout
> > (DAEMON_PURGE = 2h), to block those trying to brute force a ssh login.
> > Should we do something similar on the Freedombox?
> >
> > In addition to denyhosts (which only handle ssh), there are other
> > relevant packages in Debian:
> >
> > libpam-shield - locks out remote attackers trying password guessing
> > libpam-abl - blocks hosts which are attempting a brute force attack
>
> fail2ban
>
> The trouble with this approach is that an attacker can always widen
> their net, trying passwords against _many_ hosts, so that they only come
> back to any particular host after a decent interval. If they're smart
> they'll be using a lot of source addresses (a bot-net, say) and they'll
> be able to work out quite quickly what the parameters are for you to ban
> them, and aim just under the RADAR.
>
> So, what you're doing is blocking only the less dangerous attackers
> while giving yourself a nice warm glow.
>
> One would be a lot better off disabling passwords,
<snip more alternatives>
Indeed. Perhaps we can allow password-based logins from the local network,
while requiring keypair-based authentication for logins from the internet.
Bye,
Joost
--
In their capacity as a tool, computers will be but a ripple on the
surface of our culture. In their capacity as intellectual
challenge, they are without precedent in the cultural history of
mankind. --Edsger W Dijkstra (1930-2002), Turing Award lecture
More information about the Freedombox-discuss
mailing list