Re: NEW "SSH Brute Force " ruleset (20050628.0)

Linux Netfilter discussions
 help / color / mirror / Atom feed

From: Grant Taylor <gtaylor@riverviewtech.net>
To: netfilter@lists.netfilter.org
Subject: Re: NEW "SSH Brute Force " ruleset (20050628.0)
Date: Sat, 03 Sep 2005 17:08:24 -0500	[thread overview]
Message-ID: <431A1ED8.4090707@riverviewtech.net> (raw)
In-Reply-To: <5d2f379105070210137e0af6ca@mail.gmail.com>

> To protect against DoS, is there any easy way of requiring that three
> packets be transferred in an SSH connection before it triggers a
> recent update?  Since someone spoofing source IPs to DoS would be
> unlikely to continue the connection with the server, such DoS attacks
> might be foiled more effectively this way than using rttl (which the
> attacker can just exhaustively try all values for).

(I've not responded to these posts b/c I don't have the needed resources in my kernel (and I'm not running modules) and I have not had the time to recompile for my Cobalt (non standard kernel & boot process).)

I think it would be vary easy to use the connbytes module to test for the number of packets or the amount of data that has been transfered in any given connection.  In fact this is how I was going to determine on the packet level that an SSH connection was good and assume that the user had successfully logged in.  If any given connection has transfered x number of bytes or y number of packets then I'll assume (on the network layer) that they have successfully logged in on the application layer and that they are a valid user.

Grant. . . .

next prev parent reply	other threads:[~2005-09-03 22:08 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2005-06-28  7:10 NEW "SSH Brute Force " ruleset (20050628.0) Taylor, Grant
2005-07-01 19:07 ` Marius Mertens
2005-07-02 17:13   ` curby .
2005-09-03 22:08     ` Grant Taylor [this message]
2005-09-04  5:01       ` /dev/rob0
2005-09-04 19:59         ` /dev/rob0
2005-09-05 20:14           ` /dev/rob0

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=431A1ED8.4090707@riverviewtech.net \
    --to=gtaylor@riverviewtech.net \
    --cc=netfilter@lists.netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox