Re: NEW "SSH Brute Force " ruleset (20050628.0)

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Grant Taylor <gtaylor@riverviewtech.net>
To: netfilter@lists.netfilter.org
Subject: Re: NEW "SSH Brute Force " ruleset (20050628.0)
Date: Sat, 03 Sep 2005 17:08:24 -0500	[thread overview]
Message-ID: <431A1ED8.4090707@riverviewtech.net> (raw)
In-Reply-To: <5d2f379105070210137e0af6ca@mail.gmail.com>

> To protect against DoS, is there any easy way of requiring that three
> packets be transferred in an SSH connection before it triggers a
> recent update?  Since someone spoofing source IPs to DoS would be
> unlikely to continue the connection with the server, such DoS attacks
> might be foiled more effectively this way than using rttl (which the
> attacker can just exhaustively try all values for).

(I've not responded to these posts b/c I don't have the needed resources in my kernel (and I'm not running modules) and I have not had the time to recompile for my Cobalt (non standard kernel & boot process).)

I think it would be vary easy to use the connbytes module to test for the number of packets or the amount of data that has been transfered in any given connection.  In fact this is how I was going to determine on the packet level that an SSH connection was good and assume that the user had successfully logged in.  If any given connection has transfered x number of bytes or y number of packets then I'll assume (on the network layer) that they have successfully logged in on the application layer and that they are a valid user.

Grant. . . .

next prev parent reply	other threads:[~2005-09-03 22:08 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2005-06-28  7:10 NEW "SSH Brute Force " ruleset (20050628.0) Taylor, Grant
2005-07-01 19:07 ` Marius Mertens
2005-07-02 17:13   ` curby .
2005-09-03 22:08     ` Grant Taylor [this message]
2005-09-04  5:01       ` /dev/rob0
2005-09-04 19:59         ` /dev/rob0
2005-09-05 20:14           ` /dev/rob0

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=431A1ED8.4090707@riverviewtech.net \
    --to=gtaylor@riverviewtech.net \
    --cc=netfilter@lists.netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.