My diary earlier this week led to some good discussion in the comments and on twitter. I want to, first off, apologize for not responding as much or as quickly as I would have liked, I've actually been ill most of this week since posting the previous diary (and signing up for this slot as handler on duty). Having said that, the discussion got me thinking about fail2ban (and denyhosts) and how I've used them over the years, which brings me to a number of points I'd like to make and some further discussion I hope we can have. As rightly pointed out, I am sure that the brute forcing I am seeing is not from any scanning but because I setup an IPv6 address in DNS for my wordpress site and the preference for IPv6 over IPv4 if both DNS returns both.. In fact, the attempts to login as 'jim' show that they have at least scraped some content off the site so they thought they could guess at a valid username (in fact, 'jim' is not a valid username on the site, but that is their problem, not mine).
All of this, though, I fear shows my IPv4 mindset. I've been using IPv4 for 30+ years and perhaps I'm just trying to force IPv6 into my IPv4 worldview.
Another commenter on the previous diary was someone who has reimplemented fail2ban and expanded it to handle IPv6 (and prefixes), this is actually something I'd love to dig further into. So, am I thinking about this all wrong? Is there a better way to do this? Should I not bother trying to slow/stop brute forcing and migrate all my authentication to PKI (public key infrastructure) or MFA (multi-factor authentication)? Let me know what you think in the comments, via our contact page, or on social media. --------------- Join me to learn about Malware Analysis Upcoming Courses Taught By Jim Clausing
|
Jim 423 Posts ISC Handler Jan 19th 2018 |
|||||||||
Thread locked Subscribe |
Jan 19th 2018 4 years ago |
|||||||||
For a long time now I've been successfully using iptables "-m recent" as a means for limiting access from strangers. "-m recent --rcheck --seconds 90 --hitcount 1" gives a would be hacker one try to login every 90 seconds or so. That tends to put a severe hitch in their attempts to crack into the system. A distributed attack can still be a problem. But that's true with fail2ban and other such scripted solutions.
I like this technique's tidiness as it's all part of iptables itself not any externally mounted script reading logs. And it's only a minor irritant if I typo my password when on the road. I do this for ssh, pop3s, and imaps access. {^_^} |
Anonymous |
|||||||||
Quote |
Jan 20th 2018 4 years ago |
Sign Up for Free or Log In to start participating in the conversation!