Re: iptables & tcp wrappers

From: Luis M (lemsx1_at_latinomixed.com)
Date: 10/05/04

  • Next message: George Theall: "Re: iptables & tcp wrappers" 
    To: Thomas Chiverton <thomas.chiverton@bluefinger.com>
Date: Tue, 05 Oct 2004 09:11:37 -0400

    On Tue, 2004-10-05 at 10:33 +0100, Thomas Chiverton wrote:
    > On Tuesday 05 Oct 2004 02:40 am, you said:
    > > However, a few milliseconds later you will be blocked for that IP, thus
    > > you will be forced to change IPs to continue DoS'ing the box.
    >
    > I would be spoofing my IP anyway, wouldn't I ?
    > Better yet, I can use the IP of your customer's }:-)

    Use the IP of my customers to login or to try to get them to the blocked
    list file?

    High up in the hosts.allow file there is a rule with allowed IPs for
    sshd. All IPs for my "customers", who are allowed to login to this box,
    are listed there. If you can guess one of these IPs, then you will be
    allowed to try to find/guess a username from the few in the AllowUsers
    option of sshd_config (root is not allowed of course), and after you
    guess that username you still have to guess the password of that user.

    If you can spoof your IP to be one of the allowed in hosts.allow, guess
    a user from the AllowUsers option of sshd_config, and the password of
    this user, then you are welcome to login.

    Layers upon layers upon layers of security. This, in my opinion, is the
    one of the best ways to secure a box through a given service. Let's not
    forget that after you login you still will have to escalate your
    privileges to root or whatever super user there is in that box. And this
    is assuming that the kernel is not version 2.6.x and SELinux policies
    are not in place.

    Hey, but I do get your point, there will always be something that could
    be exploited. We are just trying to make it harder to find or almost
    impossible to do. This is why people should have some sort of system for
    checking the integrity of their systems (tripwire?) and have a clean
    backup ready to restore whatever files (or the whole server with an
    image of the drive) if any security breach is detected. 

    --
----)(----- 
Luis M 
System Administrator 
LatinoMixed.com 
lemsx1@latinomixed.com 
Linux is obsolete -- Andrew Tanenbaum 
http://www.latinomixed.com/
  • Next message: George Theall: "Re: iptables & tcp wrappers"

    Relevant Pages

    • Re: How to -- PPPoE with my ADSL Connection to connect internet with CentOS 5
      ... Em Segunda, 6 de Agosto de 2007 15:45, jatrojoomla escreveu: ... AFTER EVERY NEXT LOGIN, ... most of us have ips like that... ... FROM PHP SCRIPT ANY TIME I CAN GOT MY PRESENT IP ADDRESS. ...
      (comp.os.linux.setup)
    • Re: So many people used a "roomies" PC :D
      ... I'm sure that Blizzard will also be aware if you login ... from a different PC (all it takes is to monitor the IPs that connect, ... And if you go on vacation or a business trip and play on the road? ... brother is 1000 miles from home staying at his in-laws for the holidays and ...
      (alt.games.warcraft)
    • Re: Mehrfach-Login verhindern
      ... das _mehrfache_ Login unter einem Usernamen/Passwort zu verhindern. ... Du eine geschlossene Benutzergruppe oder kann sich hier "jeder" anmelden? ... gleiche IP, dynamische IPs, ein User, mehrere IPs ). ... Bild immer wieder vom Server abgerufen und damit die ...
      (microsoft.public.de.german.entwickler.dotnet.asp)
    • Auto add bad ip to /etc/host.deny?
      ... saw many bad ip try to login by ssh with wrong account and password, ... I can manual add these IPs to /etc/host.deny, ... But if any tools can analyze for wrong login outrun ? ...
      (comp.unix.bsd.netbsd.misc)