Re: Need urgent help regarding security

From: Roger Marquis (marquis_at_roble.com)
Date: 11/22/05

  • Next message: Lowell Gilbert: "Re: Need urgent help regarding security" 
    Date: Tue, 22 Nov 2005 11:35:29 -0800 (PST)
To: Marian Hettwer <MH@kernel32.de>

    >> 2) running an sshd IDS that A) tests for '(for invalid user|Failed
    >> password for)', B) blacholes source hosts 'ipfw add deny ...', and
    >> C) alerts sysadmin or operations personnel,
    >>
    >Be careful with adding ip addresses to deny via a packet filter.
    >If an attacker uses spoofed IP adresses, you may produce yourself
    >easily a denial of service attack.

    Not sure I agree with the easily part. TCP transport plus SSH
    protocol spoofing is not a vector that normally needs to be secured
    beyond what is already done in the kernel and router. That's not to
    say such spoofing cannot be done, just that it is rare and would
    require a compromised router or localnet host at a minimum.

    > Say I used the IP address of your default gateway. If you
    > don't check that and just add a deny rule... well... bad luck ;-)

    I would hope that your router doesn't accept packets with its own
    source address. But this does bring up a good point i.e, that no
    IDS should be operated without a well thought-out whitelist. 

    -- 
Roger Marquis
Roble Systems Consulting
http://www.roble.com/
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
  • Next message: Lowell Gilbert: "Re: Need urgent help regarding security"