On 24 February 2015 at 05:46, Hubert Kario <[email protected]> wrote:
> On Tuesday 24 February 2015 13:08:46 Tomas Mraz wrote: > > On Út, 2015-02-24 at 12:32 +0100, Hubert Kario wrote: > > > > rate limiting and denyhosts have no impact what so ever when the > attacker > > > has a botnet to his disposal > > > > Large botnet means that the attack is targeted. I do not think we can > > prevent targeted attack against weak password in the default > > configuration. What we should aim at is prevention of non-targeted > > attacks such as attacks you can see when you open ssh port on a public > > IP almost immediately. These attacks usually come from single IP > > address. > > Not necessarily, I've seen both - where an IP did try just 2 or 3 > password/user combinations and ones that did try dozens. > > Having access to botnet is not uncommon or expensive, making it possible > for > "bored student" kind of targeted attacks. You can do low level of such an > attack with just EC2. > > I'm not saying that we shouldn't have rate limiting, but it shouldn't be > the > only thing above simple dictionary check. > > That matches what I am seeing with a couple of random servers I have out there. The number of attacks where IP address one is doing apple:apple apple:123456 apple:trustn01 apple:... bob:bob bob:123456 bob:trustn01 bob:password where if box A is blocked a new ip address starts up exactly where the first one stopped is much more common now than it was say 2 years ago and it will keep going until 50-60 boxes are rotated through. -- Stephen J Smoogen.
-- security mailing list [email protected] https://admin.fedoraproject.org/mailman/listinfo/security
