[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ipfilter
Subject:    Re: IPFilter connection limit
From:       Jett Tayer <jett () sycorax ! ath ! cx>
Date:       2006-06-25 9:04:50
Message-ID: 87FBC58A-8B53-40C1-B649-B98E837D4197 () sycorax ! ath ! cx
[Download RAW message or body]


On 06 24, 06, at 4:34 PM, a b wrote:

>> I'm actually running it to block brute-force attacks every 3mins  
>> and  it works fine.
>
> Ah, so you have brute force attacks on you SSH port(s)? Well why  
> didn't you write so in the first place!
yes. but not just on my sshd server. :)
>
> I recommend to reconfigure the sshd daemon to listen on another  
> *well known* port. That confuses 100% of the attackers (no more  
> brute force attacks).
- It's a workaround not a solution.
>
> If the attacker starts banging on the other port, he or she will  
> try to bang on the appropriate service on that port, but since  
> there is something completely different listening, they can bang on  
> it 'till the cows come home.
they can use strobe or amap and see what's in there that you're running.

>
> As a *theoretical* example, you could reconfigure sshd to listen on  
> port 443. So when the attacker tries an attack on port 22, he/she  
> will get zilch, because sshd isn't listening on that port any more.
can't do this. im running https service.
>
> However, the scan will reveal that you have port 443 open. So the  
> attacker "knows" that you have an SSL httpd listening on that port.  
> Except it's sshd instead! Imagine all the time they will waste with  
> SSL based attacks... on sshd!
>
let me re-phrase my question. can ipfilter do a connection "ratelimit" ?

Jett Tayer


[prev in list] [next in list] [prev in thread] [next in thread]