Re: SSH scans vs connection ratelimiting

---

• From: Uwe Doering <gemini@xxxxxxxxxxx>
• Date: Tue, 22 Aug 2006 10:08:59 +0200

---

Oliver Fromme wrote:

PS: I try to avoid things like automatic blocking of IP
addresses. They can be dangerous, because such automatisms
can be used to run DoS attacks against you, by spoofing
source IPs. Whitelists can help a bit, but you still have
to be extremely careful.

I know one case where someone had a similar setup, blocking
IPs completely (not just port 22) if there have been too
many connection attempts. He whitelisted the IP addresses
of the workstations from which he was usually connecting
with ssh, and so he assumed he was save. Well, until a
"friend" of him ran an SSH scan against the machine,
spoofing the IP addresses of his DNS servers, in effect
putting the machine offline. :-)

I agree with you that you are vulnerable if your hardening mechanism against SSH scans is based on counting TCP packets with SYN flags. You ought to be safe, though, if you went by monitoring the SSH daemon's logfile because it takes several exchanges between the SSH client and server before a failed login attempt gets logged. It is hard to believe that someone could fake a complete exchange like this from the remote via a TCP connection while using source IP address spoofing. My understanding so far is that source IP address spoofing from the remote works only with connectionless protocols like UDP and ICMP, or TCP SYN packets as a special case. Please correct me if I'm wrong.

Regards,

Uwe
--
Uwe Doering | EscapeBox - Managed On-Demand UNIX Servers
gemini@xxxxxxxxxxx | http://www.escapebox.net
_______________________________________________
freebsd-security@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@xxxxxxxxxxx"

---

• References:
  • Re: SSH scans vs connection ratelimiting
    • From: Oliver Fromme

• Prev by Date: Re: SSH scans vs connection ratelimiting
• Next by Date: RE: SSH scans vs connection ratelimiting
• Previous by thread: Re: SSH scans vs connection ratelimiting
• Next by thread: Re: SSH scans vs connection ratelimiting
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: IP Spoofing questions ... Doesn't spoofing require correctly guessing ... :the right sequence number? ... My network is now targetted by more than 1 million connection attempts ... which is 13 8/9 days of solid reading -- per day of system ... (comp.security.misc) Re: OT: Security.... ... you can't really spoof IP addresses on SSH sessions. ... >> client, which means the client's IP address must be routable. ... making the security techniques SSH uses work. ... technical difference between spoofing IP and simply temporarily using an ... (Fedora) Re: fed up with Ken and Randys holier than thou attitude about coffee ... use of spoofing, anonymizer.com, similar "services," more than one computer ... or connection, there are scads of ways to do this. ... (alt.coffee) RE: SSH scans vs connection ratelimiting ... that someone could fake a complete exchange like this from the remote ... via a TCP connection while using source IP address spoofing. ... spoofing a three way tcp connection is ... (FreeBSD-Security) Re: xorg 7.2 install and remote ssh ... But I was unable to invoque an X client ... remotely via ssh. ... program; cannot forward with spoofing." ... (freebsd-current)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Mailing-Lists  > FreeBSD-Security  > 2006-08