[mythtv-users] ssh attack
chris at cpr.homelinux.net
chris at cpr.homelinux.net
Sun Jan 1 18:44:22 EST 2006
On Sun, Jan 01, 2006 at 11:06:18AM -0500, Michael Starks wrote:
> If the attacker uses a spoofed source IP of localhost, the server's IP,
> a configured DNS server, the Zap2it web site(s) or some other needed IP,
> that would be an effective DoS. If the intent is a DoS of some sort
> rather than an interactive login, the reply to the SSH SYN is not
> necessary. Are there any provisions in these tools to protect against
> these types of spoofing attacks?
Protection from martians is built into the Linux TCP/IP stack. This
would protect you from someone trying to spoof localhost or a private
network address. The localhost packets are dropped if they arrive on
*any* interface other than lo, and packets claiming to be from a
private address are filtered by input interface and then MAC
validated. The box is still vulnerable if the private address
spoofing is done on a valid remote subnet and passed by a deficient
router, but that's an organizational or procurement problem. Any
commercial device should block private source addresses arriving on
the WAN port, so if you have a Linksys-type device between your Linux
box and the internet you should be safe from local address spoofing.
Most remote address spoofing won't work because the reply packets
would go to the wrong address and would be dropped because there is
no established connection.
Having said all that, I would point out that the tools we are
discussing are designed to block repeated attempts to validate a
name/password combo. They won't pay any attention to connections
that are aborted prior to the validation attempt. If you're the
victim of a syn-flood then there are other (more appropriate)
solutions. The fail2ban rules also apply on a port-by-port basis, so
if your DNS server started making login attempts on your box then
those login ports would be blocked but the DNS packets would still
get through. Of course, if someone hacks your up-stream DNS then you
have bigger problems than blocking ssh access as they could send you
false DNS replies for your internet banking site, for example....
That's *way* off-topic. :-)
--
"When fascism comes to America, it will be wrapped in the flag and
carrying the cross." - Sinclair Lewis (1935)
More information about the mythtv-users
mailing list