[mythtv-users] ssh attack

chris at cpr.homelinux.net chris at cpr.homelinux.net
Sun Jan 1 18:44:22 EST 2006


On Sun, Jan 01, 2006 at 11:06:18AM -0500, Michael Starks wrote:
> If the attacker uses a spoofed source IP of localhost, the server's IP,
> a configured DNS server, the Zap2it web site(s) or some other needed IP,
> that would be an effective DoS.  If the intent is a DoS of some sort
> rather than an interactive login, the reply to the SSH SYN is not
> necessary.  Are there any provisions in these tools to protect against
> these types of spoofing attacks?

Protection from martians is built into the Linux TCP/IP stack.  This 
would protect you from someone trying to spoof localhost or a private 
network address.  The localhost packets are dropped if they arrive on 
*any* interface other than lo, and packets claiming to be from a 
private address are filtered by input interface and then MAC 
validated.  The box is still vulnerable if the private address 
spoofing is done on a valid remote subnet and passed by a deficient 
router, but that's an organizational or procurement problem.  Any 
commercial device should block private source addresses arriving on 
the WAN port, so if you have a Linksys-type device between your Linux 
box and the internet you should be safe from local address spoofing.  
Most remote address spoofing won't work because the reply packets 
would go to the wrong address and would be dropped because there is 
no established connection.

Having said all that, I would point out that the tools we are 
discussing are designed to block repeated attempts to validate a 
name/password combo.  They won't pay any attention to connections 
that are aborted prior to the validation attempt.  If you're the 
victim of a syn-flood then there are other (more appropriate) 
solutions.  The fail2ban rules also apply on a port-by-port basis, so 
if your DNS server started making login attempts on your box then 
those login ports would be blocked but the DNS packets would still 
get through.  Of course, if someone hacks your up-stream DNS then you 
have bigger problems than blocking ssh access as they could send you 
false DNS replies for your internet banking site, for example....  
That's *way* off-topic. :-)

-- 
"When fascism comes to America, it will be wrapped in the flag and 
carrying the cross." - Sinclair Lewis (1935)


More information about the mythtv-users mailing list