From owner-freebsd-security@FreeBSD.ORG  Sat Sep 18 22:44:34 2004
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id F166C16A4CE
	for <freebsd-security@freebsd.org>;
	Sat, 18 Sep 2004 22:44:34 +0000 (GMT)
Received: from freebee.digiware.nl (dsl390.iae.nl [212.61.63.138])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 55A8743D31
	for <freebsd-security@freebsd.org>;
	Sat, 18 Sep 2004 22:44:34 +0000 (GMT)	(envelope-from wjw@withagen.nl)
Received: from [212.61.27.71] (dual [212.61.27.71])
	by freebee.digiware.nl (8.12.10/8.12.10) with ESMTP id i8IMiXEg067749
	for <freebsd-security@freebsd.org>;
	Sun, 19 Sep 2004 00:44:33 +0200 (CEST)
	(envelope-from wjw@withagen.nl)
Message-ID: <414CBA51.4060502@withagen.nl>
Date: Sun, 19 Sep 2004 00:44:33 +0200
From: Willem Jan Withagen <wjw@withagen.nl>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US;
	rv:1.7.2) Gecko/20040804 Netscape/7.2 (ax)
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: freebsd-security@freebsd.org
References: <414C2798.7060509@withagen.nl>
	<6917b781040918103077c76f0c@mail.gmail.com> <414CAC56.8020601@withagen.nl>
	<6917b781040918150446b7dada@mail.gmail.com> <414CB5EF.7080901@withagen.nl>
	<20040918222819.GG20449@pir.net>
In-Reply-To: <20040918222819.GG20449@pir.net>
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Subject: Re: Attacks on ssh port
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Security issues [members-only posting]
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 18 Sep 2004 22:44:35 -0000

Peter Radcliffe wrote:

>Willem Jan Withagen <wjw@withagen.nl> probably said:
>  
>
>>I also have portsentry in a rather sensitive mode doing exactly the same 
>>thing.
>>Trigger one of  the "backdoor" ports, and you're out of my game.
>>    
>>
>
>The general problm with this type of reactive filtering is that if
>someone can spoof the source addresses effectively or cause a connection
>from a legitimate host you've just DoSed yourself...
>
>Personally I only allow ssh from known legitimate sources and block the
>rest so the "noise" is in a completely different list.
>  
>
I do too, on systems that are completly mine. But I had to "force" this 
customer to refrain from using
ftp/telnet/... with plain open passwords. And access to this box is 
required from verious remote locations with yet unknown IPs. So I have 
little chances there.

As far as I know, you need to go thru a lot of trouble to complete a 
spoofed full 3-way handshake just to get my maintenace IP-number blocked.
Next to the fact that there is a rule before the blocked list which lets 
me in anyways.... :)

--WjW