From owner-freebsd-security@FreeBSD.ORG Tue Aug 22 08:09:03 2006 Return-Path: X-Original-To: freebsd-security@FreeBSD.ORG Delivered-To: freebsd-security@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 70F7B16A5CE for ; Tue, 22 Aug 2006 08:09:03 +0000 (UTC) (envelope-from gemini@geminix.org) Received: from geminix.org (geminix.org [213.73.82.81]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7555643D58 for ; Tue, 22 Aug 2006 08:09:02 +0000 (GMT) (envelope-from gemini@geminix.org) Message-ID: <44EABB9B.5040908@geminix.org> Date: Tue, 22 Aug 2006 10:08:59 +0200 From: Uwe Doering Organization: Private UNIX Site User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.7.13) Gecko/20060423 X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-security@FreeBSD.ORG References: <200608211311.k7LDBPms032155@lurza.secnetix.de> In-Reply-To: <200608211311.k7LDBPms032155@lurza.secnetix.de> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Received: from gemini by geminix.org with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.62 (FreeBSD)) (envelope-from ) id 1GFRJk-0009pn-Iw; Tue, 22 Aug 2006 10:09:00 +0200 Cc: Subject: Re: SSH scans vs connection ratelimiting X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Aug 2006 08:09:03 -0000 Oliver Fromme wrote: > > PS: I try to avoid things like automatic blocking of IP > addresses. They can be dangerous, because such automatisms > can be used to run DoS attacks against you, by spoofing > source IPs. Whitelists can help a bit, but you still have > to be extremely careful. > > I know one case where someone had a similar setup, blocking > IPs completely (not just port 22) if there have been too > many connection attempts. He whitelisted the IP addresses > of the workstations from which he was usually connecting > with ssh, and so he assumed he was save. Well, until a > "friend" of him ran an SSH scan against the machine, > spoofing the IP addresses of his DNS servers, in effect > putting the machine offline. :-) I agree with you that you are vulnerable if your hardening mechanism against SSH scans is based on counting TCP packets with SYN flags. You ought to be safe, though, if you went by monitoring the SSH daemon's logfile because it takes several exchanges between the SSH client and server before a failed login attempt gets logged. It is hard to believe that someone could fake a complete exchange like this from the remote via a TCP connection while using source IP address spoofing. My understanding so far is that source IP address spoofing from the remote works only with connectionless protocols like UDP and ICMP, or TCP SYN packets as a special case. Please correct me if I'm wrong. Regards, Uwe -- Uwe Doering | EscapeBox - Managed On-Demand UNIX Servers gemini@geminix.org | http://www.escapebox.net