From owner-freebsd-security@FreeBSD.ORG Tue Nov 22 19:35:36 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4733316A41F for ; Tue, 22 Nov 2005 19:35:36 +0000 (GMT) (envelope-from marquis@roble.com) Received: from mx5.roble.com (mx5.roble.com [206.40.34.5]) by mx1.FreeBSD.org (Postfix) with ESMTP id DC22343D76 for ; Tue, 22 Nov 2005 19:35:31 +0000 (GMT) (envelope-from marquis@roble.com) Date: Tue, 22 Nov 2005 11:35:29 -0800 (PST) From: Roger Marquis To: Marian Hettwer In-Reply-To: <43836D25.5000101@kernel32.de> Message-ID: <20051122112344.U18517@roble.com> References: <20051122120112.9D83516A423@hub.freebsd.org> <20051122075050.I81101@roble.com> <43836D25.5000101@kernel32.de> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-security@freebsd.org Subject: Re: Need urgent help regarding security X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Nov 2005 19:35:36 -0000 >> 2) running an sshd IDS that A) tests for '(for invalid user|Failed >> password for)', B) blacholes source hosts 'ipfw add deny ...', and >> C) alerts sysadmin or operations personnel, >> >Be careful with adding ip addresses to deny via a packet filter. >If an attacker uses spoofed IP adresses, you may produce yourself >easily a denial of service attack. Not sure I agree with the easily part. TCP transport plus SSH protocol spoofing is not a vector that normally needs to be secured beyond what is already done in the kernel and router. That's not to say such spoofing cannot be done, just that it is rare and would require a compromised router or localnet host at a minimum. > Say I used the IP address of your default gateway. If you > don't check that and just add a deny rule... well... bad luck ;-) I would hope that your router doesn't accept packets with its own source address. But this does bring up a good point i.e, that no IDS should be operated without a well thought-out whitelist. -- Roger Marquis Roble Systems Consulting http://www.roble.com/