[darcs-users] Offtopic: denyhosts (was: ssh path)

[Ketil Malde]

[This is diverging a bit, so I've changed the subject, but leave the
list Cc'ed for now] 

"Yitzchak Gale" <gale at sefer.org> writes:

> How much time does it take to set up, maintain,
> etc.? 

Depends on your system, I guess.  It's apt-get'table on Ubuntu, and
probably on most Linux distributions.  It's written in Python, so it
should be fairly portable.  There's a config file you can tweak, but I
think it works quite well out of the box - synchronizing blocked
entries with a central repo is optional and must be enabled, you may
also want to whitelist certain IPs.

Maintenance so far is limited to reading the email-reports when it has
blocked someone, but that is optional, too.

> If enough people start using denyhosts - they'll
> find an attack for that, too. Sigh.

Well, tarpit would help slow down the attacks (by modifying TCP
settings to one-byte packets and huge timeouts and whatnot.  A friend
uses this on mail to twart spam, and occasionally posts reporst on how
long he's kept some spammer busy trying in vain to deliver.)

Anyway, if enough people use denyhosts, there will be fewer guessed
passwords, and thus fewer infected hosts to keep the attacks coming.
(Assuming the machines got hacked via ssh, too, I don't know if that's
the case, though.)  You could also use the central registry of zombies
to block more agressively, but that opens up for denial of access.  (I
push, but don't pull blocked IPs, partly for that reason.)  The flip
side is that denyhosts will keep the attackers off the well-maintained
hosts, and direct them more quickly to easier targets...

-k
-- 
If I haven't seen further, it is by standing in the footprints of giants