How do I stop bruteforce SSH login attempt?

Soo-Hyun Choi s.choi at hackers.org.uk
Wed Apr 12 21:23:00 UTC 2006 

Thanks for your professional view on this matter, and I totally agree
with you in that "everything not explicitly permitted is forbidden".

And you have suggested to read some security literature in order to
get started. If I ask some detailed reference, what would you like to
say about it?

You also mentioned to form a group of people to study some security
stuffs, but where can I find those interested groups to join? If
you're running one, I would be happy to discuss with you.

Soo-Hyun


On 4/12/06, email.listen at googlemail.com <email.listen at googlemail.com> wrote:
> Am Wed, 12. April 2006 21:04 schrieb Soo-Hyun Choi:
> > Okay, now, what if I would like to attack back to the machine? I guess
> > the machine performing the bruteforce ssh attack would also have been
> > cracked by somebody. Assuming the the attacking machine is the
> > originator, how do I fight back?
>
> One might define reactions on certain attacks in portsentry.conf, eg. running
> a script.
>
> But I would _STRONGLY_ suggest _NOT_ to do so!
> 1. You don't know if it is a blackhat or just a napped machine
> 2. It is an attack doing so
> 3. This is agains the law in most countries, e.g. here in Europe
> 4. Even scanning the attacker is not allowed due to the fact that using
>   scanning technicues is against the law in many countries.
>
> But what might be interesting is setting up a so called tarpit.
> Tarpits are working as the name says. They stick an attacker for for a certain
> periood of time meanwhile he don't attack other machines.
> But this is mostly useless if it is a skilled blackhat and not only a
> scripting kiddie who does the attack.
>
>
> Another often used technique is setting up so called honneypods or a
> honneynet.
> A honneypod attracts an attacker as honney attracts the bear so that he can be
> examined.
> E.G. Honneywall is a GNU/Linux distribution and a live-CD which does this.
> Using a honneypod is a bit a tricky thing.
> A wrong or misconfigured configuered honneypod brings more harm than it will
> help.
>
> But before doing so, as said before, I would recommend reading some
> IT-security related books. Two to five Kg of security literature should be
> enough for a first start I would say... :-)
> You may have a look at: http://www.bsi.de/english/gshb/
> BSI (federal bureau of security in information technology) is a german state
> authority for IT security (not only) in the public sector field.
> This guide mostly follows the directive 'everthing which is not explicitly
> allowed is forbidden'. To be honnest you don't make friends setting up a
> network as BSI suggests to do... :-))
>
>
> May be it's an idea to start a local security self study group. Learning in a
> team is IMO more efficient than doing it allone. And it has somewhat of a
> sportive character. I say this because this was the way I, better we, strted
> at the university some decades ago. We did a kind of network roleplay trying
> to penetrate each others machine and defeating the attacks.
> In the end it is at least a perspective to get skilled in an IT field which
> offers the most and best payed employments I know. ;-)
>
>
> regards,
> Thomas
>
> --
> ubuntu-users mailing list
> ubuntu-users at lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
>

More information about the ubuntu-users mailing list