[GLLUG] Maybe OT - Fail2ban and what triggers it

[Ken Smith]

Ken Smith
K-Net Technology
020 8651 5722

Andy Smith wrote:
> Hi Ken,
>
> On Mon, Mar 18, 2013 at 07:39:06AM +0000, Ken Smith wrote:
>    
>> {snip} modified one of its scripts so that it runs a
>> stealth nmap scan of the login fail's source.
>>      
> I wouldn't really advise doing this as many people don't appreciate
> being scanned with tools like nmap and it is probably a breach of
> the acceptable use policy of whatever network you are on to be doing
> that against masses of hosts that you don't have permission to do it
> to.
>
>    
Fair point. Mind you, they didn't ask me if I was happy to accept their 
connection attempts. Having collected some stats maybe I should revert 
my changes.
>> The majority of the failures IP addresses resolve to originate
>> behind the Great Firewall and most of the sources look like Linux
>> machines, often Ubuntu.
>>      
> Is it possible that you've seen only a statistical anomaly? The SSH
> dictionary attacks I see tend to be from all over the place, as
> likely to be from the ARIN region as the APNIC region.
>    
Possibly.
> {snip}
> Host that I see fall prey to SSH dictionary attacks are very often
> immediately put to use by the attacker in carrying out further SSH
> dictionary attacks, so it is not surprising to me that most of these
> attacks come from hosts that themselves run an sshd.
>    
Fair point too.
> Also bear in mind that just because you have an IP address does not
> mean that connecting back to that IP address allows you to reach the
> actual source of the attack. {snip}
>    
Indeed, who knows what is really been 'seen'
> Cheers,
> Andy
>
>    

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.