unixfool |
01-22-2009 01:34 PM |
That won't work with a targeted attack, as anyone can probe an open port to determine what's actually running on the other end (a simple telnet to port xxx will show an SSH banner, no matter the port), but I get what you're saying.
I donate my logs to security sites (sans.org/dshield.org), so I'd prefer to log and block such activity. I think its prudent to watch such activity, even though its being dropped. I compared my SSH logs with my FW and Denyhosts logs and found that some things weren't being blocked by Denyhosts. The FW would let the traffic in and SSH would deny it while Denyhosts wouldn't block. This is why layering security is good. When 2 of 3 layers don't work, that last layer is the very last defense. The distributed attacks didn't affect me but it was a definitely smart thing to do (if you're a hacker) to dodge thresholded blocking. It pays to understand what's in your logs and how to mitigate or remedy security issues. Historical log trending can ferret out less obvious security issues that may or may not affect the masses...better to understand now than be blind-sided.
|