Security process

[Aggelos Economopoulos]

Walter wrote:
> Aggelos Economopoulos wrote:
>> Walter wrote:
>>> I got curious about BSD (DragonFly, specifically) security and
>>> wondered why there wasn't a security process that processed all
>>> security-relevant error messages which could then be used to
>>> block IPs, disable user accounts, and kill processes.
>>
>> Because
>> a) such a mechanism could be used for DoS attacks on the system itself
>> b) whether an error message is "security-relevant" is not something one
>> can decide with a trivial heuristic
>> c) most network services are 3rd-party software that we have no
>> control over
>> d)...
> 
> I don't understand how blocking an IP that has had
> a hundred failed login attempts in the last ten
> minutes could create a DoS hole...

Because somebody might trick the system into blocking access for a valid
IP, either via outright spoofing or by simply confusing the logfile
parser that you are probably using (most of those were clumsy last time
I looked, but keep in mind that the syslog format was intended for human
consumption).

> What if someone hacked an account and started trying
> to gain root access?  Aren't there ways to tell you've
> got a hacker online before he/she compromises your
> system?  It seems like a good thing to know.  Yet, as
> I must admit, I have no idea what tools are in place
> which might be used to gage this.  The heuristics may
> not be trivial, but could be developed... I was just
> wondering why no one had tried it.

Heuristics are mostly useful for admin convenience ("keeping the log
files clean"), they are not a substitute for actual security measures.

[...]
> I just thought that I'd like a tool that once I got some
> definable failed login attempts that I'd like the computer
> to automatically shunt the source IP for a while.

See above. FWIW (and as others have suggested already) I think disabling
password logins and/or moving ssh to a different port is your best bet
for this kind of problem.

HTH,
Aggelos