+1. I see this as two different problems, and one of the negatives of
SRV records is that it opens sites up to discovery issues. Can't do
much about that but make sure the site is fortified against attacks.
We use a default 3 attempt login limit across the board and a failure
will block the IP across all the internet hosting servers. I can
attest this is extremely well liked feature and it has help people go
to sleep better. I don't think this necessary protection has anything
to do with how the attacker found the site - SRV or otherwise.
Arnt Gulbrandsen wrote:
On 08/19/2011 02:05 PM, Alessandro Vesely wrote:
As well as they automate client setup, SRV records also automate
cracking.
How is that?
Keep in mind that the net is small these days. The bruteforce kiddies
sweep the entire IPv4 internet, and do it quickly. I set up a new public
box the other day, it was swept during its first working day, and I've
heard stories of "rooted in x minutes" for scarily small values of x.
I venture to suggest that at the moment, sweeping the IPv4 net looking
for open TCP ports is easier than sweeping the DNS looking for SRV records.
Arnt
--
Sincerely
Hector Santos
http://www.santronics.com