SSH scans vs connection ratelimiting

Uwe Doering gemini at geminix.org
Tue Aug 22 08:09:03 UTC 2006


Oliver Fromme wrote:
> 
> PS:  I try to avoid things like automatic blocking of IP
> addresses.  They can be dangerous, because such automatisms
> can be used to run DoS attacks against you, by spoofing
> source IPs.  Whitelists can help a bit, but you still have
> to be extremely careful.
> 
> I know one case where someone had a similar setup, blocking
> IPs completely (not just port 22) if there have been too
> many connection attempts.  He whitelisted the IP addresses
> of the workstations from which he was usually connecting
> with ssh, and so he assumed he was save.  Well, until a
> "friend" of him ran an SSH scan against the machine,
> spoofing the IP addresses of his DNS servers, in effect
> putting the machine offline.  :-)

I agree with you that you are vulnerable if your hardening mechanism 
against SSH scans is based on counting TCP packets with SYN flags.  You 
ought to be safe, though, if you went by monitoring the SSH daemon's 
logfile because it takes several exchanges between the SSH client and 
server before a failed login attempt gets logged.  It is hard to believe 
that someone could fake a complete exchange like this from the remote 
via a TCP connection while using source IP address spoofing.  My 
understanding so far is that source IP address spoofing from the remote 
works only with connectionless protocols like UDP and ICMP, or TCP SYN 
packets as a special case.  Please correct me if I'm wrong.

Regards,

    Uwe
-- 
Uwe Doering         |  EscapeBox - Managed On-Demand UNIX Servers
gemini at geminix.org  |  http://www.escapebox.net


More information about the freebsd-security mailing list