if they can break a password in less than 5 min, which is my window of
checks ,then they are going to defeat any method I can conceive. the idea is
that my password is secure enough to stand up to 5 min worth of guesses. a
port knocking lock is not entirely invulnerable. one could just try hitting
pairs of ports until they get a response from an ssh session. I agree it is
an extra level of security and may well be useful in conjunction with a
brute force attack blocker like my script is.
----- Original Message -----
From: "John Summerfied" <debian@xxxxxxxxxxxxxxxxxxxxxx>
To: "For users of Fedora Core releases" <fedora-list@xxxxxxxxxx>
Sent: Thursday, January 26, 2006 5:49 PM
Subject: Re: hosts.deny script
Steven J Lamb wrote:
I am trying to create a script to block people using hosts.deny. I
realize that I should just block everyone and then open access for those
whom I know I trust but because of the nature of our network this is not
possible. basically I check log files for login attempts every five
minutes and block those that attempt to log in more than 3 times that
day.
This is too late. An automated attack may well be completed in this window
of time.
Instead, use another port as a door-knock: when someone tries to connect
to <some port>, then allow connexions to ssh for a short time.
For an automated connexion from a remote site, something like this:
echo | nc example.com <some port>
ssh example.com
The nc command is contained in the netcat package.
I think I've seen how to implement this door knock entirely in iptables
recently, but didn't note the details.
--
Cheers
John
-- spambait
1aaaaaaa@xxxxxxxxxxxxxxxxxxxxxxx Z1aaaaaaa@xxxxxxxxxxxxxxxxxxxxxxx
Tourist pics http://portgeographe.environmentaldisasters.cds.merseine.nu/
do not reply off-list
--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
