[ale] failed ssh login attempts

[Geoffrey]

Fletch wrote:
>>>>>>"Geoffrey" == Geoffrey  <esoteric at 3times25.net> writes:
> 
> 
>     Geoffrey> Jim Lynch wrote:
>     >> What someone really needs to do is write a ssh spoofing daemon
>     >> to accept any user and any password and let them think they've
>     >> logged in.  If there were enough out there, maybe it would keep
>     >> the chaps busy sorting the spoofs from reality.
> 
>     Geoffrey> It's already been done, called a tar pit...
> 
> ITYM "honey pot" for a machine that's intentionally put out to look
> like an interesting target to catch the eye of whatever black hats or
> script kitties are poking your network.  They go for the sweet low
> hanging fruit while you're tracing them back.
> 
> 
> I think I've only heard "tar pit" in the sense of the slow SMTP
> servers (from the original German implementation 'teergrube') meant to
> cause much pain for spammers by holding open an SMTP session for a
> long time (say tens of seconds between each SMTP response).

There was actually an article in Linux Journal which referred to them as 
tar pits.  I don't believe it specifically mentioned SMTP, but I could 
be wrong.  As described, it does just what you indicate.  Hold the 
connection open and just waste their time and resources.  I think it was 
a patch to iptables, but again, it's been a while.  I need to dig that 
puppy.

It slows
> down legitimate mail slightly, but the more there are the more it cuts
> into J Random Spammer's deliveries / unit time.  OpenBSD comes with a
> daemon spamd which can be used to accept SMTP from untrusted sources
> that waits 1 second (configurable of course) between each character it
> sends back.  Unknown sending machines can also be set to get a
> temporarily undeliverable error on their first connect; legitimate
> MTAs will attempt to deliver again (and then get the teergrube
> behavior), while most spammers are likely to just move on.
> 


-- 
Until later, Geoffrey