George A. Theall on 10 Dec 2008 15:48:08 -0800

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Brute force SSH attack confounds defenders

On Wed, Dec 10, 2008 at 11:56:58AM -0500, John Von Essen wrote:

> Well, hosting the distributed database of IPs is easy, the hard part  
> is getting all the Linux distro's to recompile sshd to support it,  
> and push it out into new releases.

Instead of integrating it directly into sshd, what about a system in
which you have collection agents that monitor for signs of abuse and
send it to a collection agency.  That agency in turn correlates abuse
across reporting systems and sends back a list of the top abusers.  It's
then up to individual systems to block them in some fashion, be it tcp
wrappers, iptables rules, or something like that.  ISC's DShield already
implements this sort of thing using firewall logs, although it's not
specific to SSH -- see 

Philadelphia Linux Users Group         --
Announcements -
General Discussion  --