Date: 22 Nov 2005 14:48:46 -0500 From: Lowell Gilbert <freebsd-security-local@be-well.ilk.org> To: freebsd-security@freebsd.org Subject: Re: Need urgent help regarding security Message-ID: <44br0cqx9d.fsf@be-well.ilk.org> In-Reply-To: <20051122112344.U18517@roble.com> References: <20051122120112.9D83516A423@hub.freebsd.org> <20051122075050.I81101@roble.com> <43836D25.5000101@kernel32.de> <20051122112344.U18517@roble.com>
next in thread | previous in thread | raw e-mail | index | archive | help
> >Be careful with adding ip addresses to deny via a packet filter. > >If an attacker uses spoofed IP adresses, you may produce yourself > >easily a denial of service attack. > > Not sure I agree with the easily part. TCP transport plus SSH > protocol spoofing is not a vector that normally needs to be secured > beyond what is already done in the kernel and router. That's not to > say such spoofing cannot be done, just that it is rare and would > require a compromised router or localnet host at a minimum. Except that it doesn't require spoofed addresses. One attacker from the local university's computer center (or from a large shell service ISP) could lock out all of the other users on that machine. Trivially.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?44br0cqx9d.fsf>