Need urgent help regarding security
Lowell Gilbert
freebsd-security-local at be-well.ilk.org
Tue Nov 22 11:48:57 PST 2005
> >Be careful with adding ip addresses to deny via a packet filter.
> >If an attacker uses spoofed IP adresses, you may produce yourself
> >easily a denial of service attack.
>
> Not sure I agree with the easily part. TCP transport plus SSH
> protocol spoofing is not a vector that normally needs to be secured
> beyond what is already done in the kernel and router. That's not to
> say such spoofing cannot be done, just that it is rare and would
> require a compromised router or localnet host at a minimum.
Except that it doesn't require spoofed addresses. One attacker from the
local university's computer center (or from a large shell service ISP)
could lock out all of the other users on that machine. Trivially.
More information about the freebsd-security
mailing list