Date: Tue, 22 Aug 2006 10:08:59 +0200 From: Uwe Doering <gemini@geminix.org> To: freebsd-security@FreeBSD.ORG Subject: Re: SSH scans vs connection ratelimiting Message-ID: <44EABB9B.5040908@geminix.org> In-Reply-To: <200608211311.k7LDBPms032155@lurza.secnetix.de> References: <200608211311.k7LDBPms032155@lurza.secnetix.de>
next in thread | previous in thread | raw e-mail | index | archive | help
Oliver Fromme wrote:
>
> PS: I try to avoid things like automatic blocking of IP
> addresses. They can be dangerous, because such automatisms
> can be used to run DoS attacks against you, by spoofing
> source IPs. Whitelists can help a bit, but you still have
> to be extremely careful.
>
> I know one case where someone had a similar setup, blocking
> IPs completely (not just port 22) if there have been too
> many connection attempts. He whitelisted the IP addresses
> of the workstations from which he was usually connecting
> with ssh, and so he assumed he was save. Well, until a
> "friend" of him ran an SSH scan against the machine,
> spoofing the IP addresses of his DNS servers, in effect
> putting the machine offline. :-)
I agree with you that you are vulnerable if your hardening mechanism
against SSH scans is based on counting TCP packets with SYN flags. You
ought to be safe, though, if you went by monitoring the SSH daemon's
logfile because it takes several exchanges between the SSH client and
server before a failed login attempt gets logged. It is hard to believe
that someone could fake a complete exchange like this from the remote
via a TCP connection while using source IP address spoofing. My
understanding so far is that source IP address spoofing from the remote
works only with connectionless protocols like UDP and ICMP, or TCP SYN
packets as a special case. Please correct me if I'm wrong.
Regards,
Uwe
--
Uwe Doering | EscapeBox - Managed On-Demand UNIX Servers
gemini@geminix.org | http://www.escapebox.net
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?44EABB9B.5040908>