LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 23, 2013

An "enum" for Python 3

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

agree

agree

Posted Mar 6, 2007 18:17 UTC (Tue) by ofeeley (guest, #36105)
In reply to: agree by bronson
Parent article: Single Packet Authorization (Linux Journal)

And capturing a list of hostile machine's IP addresses and adding them to /etc/hosts.deny is nice. As long as you're using ssh keys the script kiddie attacks are just providing a handy list of IP's to treat as hostile with very little actual risk.

(Log in to post comments)

Not sure I agree

Posted Mar 6, 2007 23:09 UTC (Tue) by bronson (subscriber, #4806) [Link]

There's a fine line between banning hostile IPs and DOSing yourself. :)

A lot (most?) of the traffic will be arriving on dynamic or shared IP addresses. Just because one packet was hostile, that doesn't mean that all traffic from that address will be hostile. Imagine visiting your parents and not being able to log to your production server just because some script kiddie managed to get most of AOL's proxy IPs on your block list.

Also, I'm not sure that keeping a list of IPs actually buys you much. Most of the script kiddies responsible for this noise won't bother trying any other attack against you. And a determined attacker would never try something as noisy as a dictionary attack. Presumably he would already know that you're using pubkey authentication and a dictionary attack would be futile anyway.

So... Keeping a list of mostly harmless script kiddie IPs doesn't strike me as a very worthwhile endeavor...?

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds