Questions concerning Security Log
Brian Gaynor
briang at pmccorp.com
Sun Apr 10 02:17:49 UTC 2005
> -----Original Message-----
> > I would disagree a bit. Denying access after a small number of
> > unsuccessful logons effectively reduces the bandwidth of
> anyone attempting
> > a brute force attack, script kiddie or pro. Changing ports
> may hide you
> > from script kiddies but not from a pro.
>
> Not so sure I would agree with this. If they are hammering
> you then yes. But
> if they watch their logs then they will see that after X
> attempts they are no
> longer getting a reply then they could (at least I would) add
> time in between
> requests. Sooner or later they will find the right time
> intervals and they
> are back in business again.
>
> Ex; you set a 5 attempt/5 minutes. they change this script
> to wait 61 sec
> between attempt they are back in business.
Exactly - you've reduced their bandwidth, exactly the same as the standard
logon daemon does - so many command line login failures and it sleeps for a
while. In a brute force attack bandwidth is key, reduce it and generally the
attacker will move to an easier target. The current crop of SSH script
kiddies will definitely move on.
A determined (and capable) attacker can always carefully time their attacks
(and use multiple IPs), but you've made it much harder (i.e. slower). So you
slow them down, you insist on good passwords, and you check your logs. And
if it's reasonable you change ports - but security through obscurity alone
is generally a Bad Idea.
Brian
More information about the fedora-list
mailing list