By: n8

n8 — Wed, 11 Jun 2008 19:21:15 +0000

I didn’t claim that all the tools I listed were log file scanners, but I probably shouldn’t have included ssh-faker since it falls under the “alter your sshd service” category. I’ll remove it now.

By: CH

CH — Wed, 11 Jun 2008 18:58:42 +0000

I’m pleased to note that ssh-faker (on your list) doesn’t scan log files. It blacklists all hosts, until you telnet to port 22 and type a password, at which point your current ip address is whitelisted. No cron job, no daemon, no log file scanning. The database is /etc/hosts.allow.

On the downside, it doesn’t remove addresses from the white list, but that’s hardly a problem, as you’re still blocking 99.999% of the internet whether your whitelist contains 10 or 1000 entries.

Comments on: Dictionary attacks, or why log file monitoring is dumb

By: n8

By: CH