DragonFly users List (threaded) for 2010-03
Re: Security process
Aggelos Economopoulos wrote:
I got curious about BSD (DragonFly, specifically) security and
wondered why there wasn't a security process that processed all
security-relevant error messages which could then be used to
block IPs, disable user accounts, and kill processes.
a) such a mechanism could be used for DoS attacks on the system itself
b) whether an error message is "security-relevant" is not something one
can decide with a trivial heuristic
c) most network services are 3rd-party software that we have no control over
I don't understand how blocking an IP that has had
a hundred failed login attempts in the last ten
minutes could create a DoS hole...
What if someone hacked an account and started trying
to gain root access? Aren't there ways to tell you've
got a hacker online before he/she compromises your
system? It seems like a good thing to know. Yet, as
I must admit, I have no idea what tools are in place
which might be used to gage this. The heuristics may
not be trivial, but could be developed... I was just
wondering why no one had tried it.
it'd be a step to automating *some* obvious security measures
rather than requiring root action. Things like repeated login-
in failures from external (as in China) IPs. Anyone?
"External" to what? FYI people in China are potential users of
DragonFlyBSD (or indeed any free software project) as much as those in
any other country. Some have even been known to be important developers...
No offense meant to China. It just happened that a few
weeks ago that I needed to grant FTP access to an outside
user, and in an hour I had one of those 'bots' trying to
gain access to my computer - the IP resolved to China.
It was just an example.
I just thought that I'd like a tool that once I got some
definable failed login attempts that I'd like the computer
to automatically shunt the source IP for a while.