Security process

Oliver Fromme check+kz12r700rsk5u508 at fromme.com
Tue Mar 9 11:05:50 PST 2010


Walter <walter at spam.no> wrote:
 > Aggelos Economopoulos wrote:
 > > Because
 > > a) such a mechanism could be used for DoS attacks on the system itself
 > [...]
 > I don't understand how blocking an IP that has had
 > a hundred failed login attempts in the last ten
 > minutes could create a DoS hole...

Depending on the way how the errors are parsed and
handled exactly, an attacker could spoof some name
or address that is important to you (e.g. your own
IP address, or the address of your DNS server, or
your uplink gateway, or ...).  Not good.

Admittedly it is very difficult to spoof the source
IP address in the case of SSH connection attempts,
at least if the attacker needs to go farther than
just the inital TCP handshake, but still there might
be other pitfalls involved.  Spoofing DNS names is
trivial, by the way, so you should never rely on
that.

In general, if you install any automatism that blocks
something (or some other destructive action), you
should know exactly what you're doing.  Personally
I would never do something like that, even though
I think I have a fairly good understanding of TCP/IP
and networking in general.

 > What if someone hacked an account and started trying
 > to gain root access?

You mean when you have a machine with many untrusted
shell accounts?  In that case you should use something
like jails or similar security measures.

 > Aren't there ways to tell you've
 > got a hacker online before he/she compromises your
 > system?  It seems like a good thing to know.  Yet, as
 > I must admit, I have no idea what tools are in place
 > which might be used to gage this.  The heuristics may
 > not be trivial, but could be developed... I was just
 > wondering why no one had tried it.

Actually there are many good books about security,
and online tutorials, howtos etc.  Maybe you should
google a bit.  There are already many things you can
do to proactively secure your system, and to monitor
for possible security breaches.  This topic is
probably much to broad for a mailinglist like this,
so I don't even try to start enumerating things.

 > I just thought that I'd like a tool that once I got some
 > definable failed login attempts that I'd like the computer
 > to automatically shunt the source IP for a while.

You don't really gain anything by doing that.  And you
don't have to do that at all if you have secured your
system reasonably.

Best regards
   Oliver

-- 
Oliver Fromme, secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing b. M.
Handelsregister: Registergericht Muenchen, HRA 74606,  Geschäftsfuehrung:
secnetix Verwaltungsgesellsch. mbH, Handelsregister: Registergericht Mün-
chen, HRB 125758,  Geschäftsführer: Maik Bachmann, Olaf Erb, Ralf Gebhart

FreeBSD-Dienstleistungen, -Produkte und mehr:  http://www.secnetix.de/bsd





More information about the Users mailing list