[Dshield] SSH threats

Tomas L. Byrnes tomb at byrneit.net
Mon Oct 1 15:45:19 GMT 2007


What are your thoughts on running a block list derived from the denyhosts network data on your firewall?

I guess that the block list could be polluted by someone using the injection technique across a large number of hosts, but how likely is that?

 

> -----Original Message-----
> From: list-bounces at lists.dshield.org 
> [mailto:list-bounces at lists.dshield.org] On Behalf Of Daniel Cid
> Sent: Friday, September 28, 2007 12:29 PM
> To: General DShield Discussion List
> Subject: Re: [Dshield] SSH threats
> 
> Hi Tom,
> 
> I wouldn't recommend running DenyHosts at all*. It has a 
> serious vulnerability that hasn't been fixed in
> months:
> 
> 
> http://www.ossec.net/en/attacking-loganalysis.html#denyhosts
> 
> 
> It basically allows anyone to inject any IP (including the 
> "any" keyword) to your hosts.deny file.
> 
> 
> *I know, every tool can have security problems, but it must 
> be timely patched (especially a tool that is meant to improve 
> security).
> 
> 
> Thanks,
> 
> --
> Daniel B. Cid
> dcid ( at ) ossec.net
> 
> 
> --- Tom <dshield at oitc.com> escreveu:
> 
> > DShield,
> > 
> > You process ours and others firewall logs to detect port 
> activity and 
> > identify associated IPs and their activities.  We, here, 
> also monitor 
> > attempted ssh (and other services) logons with DenyHost and 
> deny via 
> > TCPwrappers.  Would this information also be helpful?
> > 
> > Tom
> > --
> > 
> > Tom Shaw - Chief Engineer, OITC
> > <tshaw at oitc.com>, http://www.oitc.com/ US Phone Numbers: 
> 321-984-3714, 
> > 321-729-6258(fax), 321-258-2475(cell/voice mail,pager) Text Paging:
> > http://www.oitc.com/Pager/sendmessage.html
> > AIM/iChat: trshaw at mac.com
> > Google Talk: trshaw at gmail.com
> > 
> > _________________________________________
> > SANS Network Security 2007 in Las Vegas September 22-30. 39 
> courses, 
> > SANS top instructors.  http://www.sans.org/info/9346
> > 
> 
> 
> 
>       Flickr agora em português. Você clica, todo mundo vê.
> http://www.flickr.com.br/
> _________________________________________
> SANS Network Security 2007 in Las Vegas September 22-30. 39 courses,
> SANS top instructors.  http://www.sans.org/info/9346
> 



More information about the list mailing list