Re: ssh brute force attacks
From: Tony Lawrence (pcunix_at_gmail.com)
Date: 20 Mar 2005 12:16:31 -0800
Peter T. Breuer wrote:
> Tony Lawrence <firstname.lastname@example.org> wrote:
> > email@example.com wrote:
> > > "Tony Lawrence" <firstname.lastname@example.org> writes:
> > >
> > >
> > >
> > > >I just don't see how this is "introducing DOS attacks" - I'm not
> > > >being argumentative; I just don't understand why you say this
> > > >am seeking education.
> > >
> > > The far side simply forges a return IP address of your home
> > > and knocks on sshd many times. Your system now locks out your
> > > IP. You have been denied.
> > Assuming you know my home machine's address and assuming my filter
> > going to dumbly add that? Both assumptions seem farfetched to me -
> But that's precisely what your mechanism does do, and of course we
> what IP address you use! Why wouldn't we?
We are talking about two entirely different things here. On the one
hand we have someone who deliberately wants to DOS me. On the other we
have the blocking of an ip due to an apparent break in.
The first is pointless. If someone wants to DOS my webserver, they do
NOT need to know my home ip address. If that's what they want to
attack, there's not much I can do about it, is there? If you want to
annoy me at home, you might observe a newsgroup post. Great, you've
maybe got a dynamic Comcast address which will change the minute I
power off their router. So MAYBE you could deny me access to my web
server IF you assume that my filtering and blocking is dumb enough to
put its own public address into the block list. Which it isn't, but
even if it were, again it is reset in the morning automatically.
The point of blocking the second class (someone apparently trying to
break in) is to add an additional barrier to their attempt. Maybe they
started with ssh but are going to move on to something else after that.
They shouldn't have much luck, but why NOT block them out totally?
Again. it's only temporary, so if they were spoofing someone else's
address that person would only be blocked for a while.
And then you say "what about an entire block?". I think that's highly
unlikely unless someone IS trying to DOS me, and as I said, they can do
that anyway, and if I really thought this was likely my software could
look for such patterns and unblock earlier. But in any case, I'm going
to drop these blocks after a few hours anyway because their purpose is
to put up a barrier against an on-going attempt to break in.
> And why would we care? We can
> simply DOS everything.
Agreed. I think I've said that at least two or three times. Again,
that wasn't the question. It was stated that automatically blocking
ip's is a nice way of "introducing DOS attacks". I don't see that at
all. If somebody WANTS to do a DOS attack on me or my web server or
both, they surely can do so, but blocking ip's automatically doesn't
particularly help them. You might get me to block out a bunch of IP's,
as you said, but as I said, you'd only pull that trick on me once and
then I'd rewrite my filters to look for patterns like that and
accellerate the unblocking. I've never seen anything to make me think
this is necessary, but it wouldn't be hard to do:
if IPS_BLOCKED_PER_MINUTE > some_arbitray_number
unblock if time_blocked > some_other_arbitrary_number
Not exactly beyond my admittedly poor coding skills.
But my bet is that if somebody wants to DOS me, they'll be coming at me
six ways from Sunday anyway. I may be temporarily blocking some ip's I
shouldn't, but my machine is probably being harried to death on all
fronts anyway so those falsely denied folk probably can't get to me at
all. So I do not think the assertion is at all valid.
> > and again, even if I did blindly let my software do that, I reset
> > those temporary rules in the morning and review them.
> Too many, too fast, and you're to slow. BTW, I run an automatic
Huh? I'm too slow? What on earth do you mean? Do you think I sit
here and review this stuff manually? Of course not: at a specific
time, a script runs that does certain things, like re-allowing console
login, allowing access from the local network, unblocking adresses that
have been blocked overnight, etc. As I explained earlier, I have
multiple layers of blocking in place and a lot of it overlaps. I'm
execessively paranoid and compulsive about this stuff. For example,
at a certain time, not even I can get to my home office box, unless I
want to reboot it to single user mode and use both a bios and grub
password. This keeps me in bed sleeping when I get tempted to go work
in the middle of the night :-) But it is also yet another layer of
protection - if outer layers fail, I might still survive.
I'm reminded of the attempt someone made 20 years ago to break in to
our house. They attacked the cellar bulkhead door, because the
exterior enclosure hid their activity from observation. Because I knew
that, I had multiple locks on that door - five, to be precise, and they
managed to break four of them, but the fifth kept them out. I apply
the same concept to my machine security.
> % wc -l /etc/hosts.deny
> 1285 /etc/hosts.deny
> And if somebody really wanted to DOS me that list would grow very
> Maybe thousands per hour. Sift through that!
You run an automatical denial scheme but you are defending the idea
that one should not?
No wonder I'm confused.. which side of this are you taking?
-- Tony Lawrence