Re: ssh brute force attacks

From: Peter T. Breuer (ptb_at_lab.it.uc3m.es)
Date: 03/20/05

• Next message: Peter T. Breuer: "Re: ssh brute force attacks"
• Previous message: Tony Lawrence: "Re: ssh brute force attacks"
• In reply to: Tony Lawrence: "Re: ssh brute force attacks"
• Next in thread: Tony Lawrence: "Re: ssh brute force attacks"
• Reply: Tony Lawrence: "Re: ssh brute force attacks"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

---

Date: Sun, 20 Mar 2005 20:11:38 +0100

Tony Lawrence <pcunix@gmail.com> wrote:
 Peter T. Breuer wrote:
> > If he spoofs X AND THEN does some failed password attempts, yes, your
> > proposed mechanism will lock him out, i.e. lock you out.
> >
> > > KNOW that I use X to access Y anyway - and why and how would they know
> > > that??
> >
> > I've no idea! Does it matter? Presumably they know something about you
> > to want to do a DOS on you. I would presume they know what IP addresses
> > you use too. But why should they care? They can simply DOS you on
> > anything they feel like. It would be a DOS attack just to fill up your
> > log with failed password attempts. Or fill up your exclude file with
> > 2^32 IP addreses to be denied access from.
>
> OK. But that wasn't the question. If somebody wants to DOS me,
> there's all kinds of ways to do so, and I don't see why BLOCKING them
> creates MORE opportunity.

I don't understand why you don't understand what is said to you. It is
like meeting somebody who is blind to the colour red, and waving a red
flag under his nose, and then hearing him ask where the breeze is
coming from.

Read it very carefully:

    If he spoofs X AND THEN does some failed password attempts, yes, your
    proposed mechanism will lock him out, i.e. lock you out.

What is so difficult to understand?

> What was originally said was:
>
> "Blocking IPs because of failed logins is a nice way introducing
> DOS attacks against yourself. What if someone spoofs the IP?"

Sure. Exactly. "What if someone spoofs the IP?". Or as I said:

    If he spoofs X AND THEN does some failed password attempts, yes, your
    proposed mechanism will lock him out, i.e. lock you out.

Do you see the red flag?

> If somebody has deliberate intent to harm me, well, that's what they
> are going to do, isn't it? That's entirely a different condition and
> purpose from someone trying to break in.

I don't understand what you mean. A DOS attack is not a break-in. It's
a denial of service. Plainly, if you can't log in to your own machine,
because your lock-out mechanism has been tricked by spoofing into
locking you out, then you have been denied your usual service of a login!

What's the conceptual difficulty here?

> And who says I log accesses from ip's I've blocked?

Nobody. Who cares? If you do, then we can fill your logs. So?

> As a matter of
> prtactice, if someone has reached that level of annoyance, I don't log
> it - just block it.

Doesn't matter - you will block it, which is the principal DOS. I
merely pointed out that you might well also fill your logs with the
notices!

And I also pointed out that you might have to block 2^32 IP addresses,
which at say 20 bytes each, would be 32GB, which might also nicely fill
your disk, to say nothing of simply preventing you logging in at all by
dint of making it take so long to search the denied list that the tcp
or login timeout is exceeded at every attempt.

> As to entire subnet blogs,

Eh? What?

> I dunno about your
> router, but I can do that with a single entry and a mask.. so why would
> I have a gigantic exclude file - assuming I was going to do that at
> all?

Because you have a mechanism that adds an IP address to a denied file
every time somebody tries to login from that IP address three times,
and fails. Fine - we're happy to fill yur list with 2^32 IP addresses.
See how you like that!

> Again, I'm probably misunderstanding something, so don't think that I'm

What can you possibly misunderstand?

> standing toe to toe shouting in your face - it just still doesn't make
> sense to me as stated.

Why not? How can you misinterpret what is said to you? There is no
trick to it!

Peter

---

• Next message: Peter T. Breuer: "Re: ssh brute force attacks"
• Previous message: Tony Lawrence: "Re: ssh brute force attacks"
• In reply to: Tony Lawrence: "Re: ssh brute force attacks"
• Next in thread: Tony Lawrence: "Re: ssh brute force attacks"
• Reply: Tony Lawrence: "Re: ssh brute force attacks"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

---

Relevant Pages Re: ssh brute force attacks ... >> machine Y. You seem to be saying that if someone spoofs X, ... > If he spoofs X a AND THEN does some failed password attempts, yes, ... > to want to do a DOS on you. ... standing toe to toe shouting in your face - it just still doesn't make ... (comp.os.linux.misc) Re: ssh brute force attacks ... > login attempts. ... Voila: DOS. ... assuming that the blocking script is stupid ... whether or not you block failed logins. ... (comp.os.linux.misc) Re: ssh brute force attacks ... > Peter T. Breuer wrote: ... Voila: DOS. ... But they are not trying to - they are DOSing the login service on ... whatever machine you set up the blocking mechanism via failed logins. ... (comp.os.linux.misc) Re: ssh brute force attacks ... If somebody wants to DOS me, ... As usual, dear Peter, while I truly respect and admire your ... But that can't be the case for someone who has failed login attempts, ... A DOS attack is not a break-in. ... (comp.os.linux.misc) log in IMMEDIATELY log off, even Admin ... returns to login screen. ... In safe mode I login as Administrator and it does the same thing. ... What I wanted to do is go to DOS and restore win.ini, ... System came from Wal-Mart with only restore CD. ... (microsoft.public.windowsxp.help_and_support)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(13)