Re: ssh brute force attacks

From: Peter T. Breuer (ptb_at_lab.it.uc3m.es)
Date: 03/20/05 

Date: Sun, 20 Mar 2005 21:44:49 +0100

Tony Lawrence <pcunix@gmail.com> wrote:
> Peter T. Breuer wrote:
> > But that's precisely what your mechanism does do, and of course we know
> > what IP address you use! Why wouldn't we?
>
> We are talking about two entirely different things here.

No we are not.

> On the one
> hand we have someone who deliberately wants to DOS me.

Fine - and he does that by spoofing your IP address and doing failed
logins to your target box, which causes the target to block your IP for
login attempts. Voila: DOS.

> On the other we
> have the blocking of an ip due to an apparent break in.

That's the mechanism used to effect the DOS by the person who wants to
DOS you. So why do you consider the two different things?

> The first is pointless.

So? Tell that to them, not me!

> If someone wants to DOS my webserver, they do

But they are not trying to - they are DOSing the login service on
whatever machine you set up the blocking mechanism via failed logins.

> NOT need to know my home ip address.

Eh? What relevance is your home address? And why should they need to
know it? They can use every address - maybe your IP address too, if
they want. Why wouldn't they? And what do you think is secret about
your home address?

> If that's what they want to
> attack, there's not much I can do about it, is there?

I don't understand you. Why should you think somebody would attack your
web server? Where does it come into the picture? As far as I know you
simply have a machine Y on which you block IP addresses which fail to
login correctly. Fine - if you login from X, then somebody can DOS you
by simply spoofing X and failing to login.

What's the big deal with that simple idea? Where do webservers come
into this?

And if they want to find out where you normally log in from (why should
they bother?) they simply have to observe you doing a remote login.

> If you want to
> annoy me at home, you might observe a newsgroup post.

I don't understand you - nobody is imagining these special situations.
We only know that you have machines Y and X. Y has a blocking mechanism
triggered by failed logins. Fine. So we spoof X and fail a login to Y.
Hey presto - you're DOSed by your own blocking mechanism.

> Great, you've
> maybe got a dynamic Comcast address which will change the minute I
> power off their router. So MAYBE you could deny me access to my web

I don't understand you. What are you on about?

> server IF you assume that my filtering and blocking is dumb enough to
> put its own public address into the block list. Which it isn't, but
> even if it were, again it is reset in the morning automatically.

I simply do not know what you are talking about. Or why!

> > Too many, too fast, and you're to slow. BTW, I run an automatic denial
> > scheme:
>
> Huh? I'm too slow? What on earth do you mean? Do you think I sit
> here and review this stuff manually?

Sure. How else can you tell?

> Of course not: at a specific
> time, a script runs that does certain things, like re-allowing console
> login, allowing access from the local network, unblocking adresses that
> have been blocked overnight, etc. As I explained earlier, I have

Why would you unblock addresses that have been blocked? What's the
point of blocking them if you are going to unblock them every day!
Well, I suppose it would give you some relief, but it's not worth it -
you still will be DOSed after half an hour again.

For myself, I jealously guard my collection of blocked IPs!

> multiple layers of blocking in place and a lot of it overlaps. I'm
> execessively paranoid and compulsive about this stuff. For example,
> at a certain time, not even I can get to my home office box, unless I
> want to reboot it to single user mode and use both a bios and grub

Well, I certainly never allow root login, or su.

> > % wc -l /etc/hosts.deny
> > 1285 /etc/hosts.deny
> >
> > And if somebody really wanted to DOS me that list would grow very fast.
> > Maybe thousands per hour. Sift through that!
>
> Huh?
>
> You run an automatical denial scheme but you are defending the idea
> that one should not?

No, I am not defending anything! I am simply trying to explain to you
that an automatic blocking scheme leads to a DOS vulnerability,
something which you seem stubbornly too dense to get, not matter how
carefully and how slowly it is explained to you, and no matter how hard
your nose is rubbed in actual pictures of it.

Peter

Relevant Pages

  • Re: ssh brute force attacks
    ... > login attempts. ... Voila: DOS. ... assuming that the blocking script is stupid ... whether or not you block failed logins. ...
    (comp.os.linux.misc)
  • Re: ssh brute force attacks
    ... If somebody wants to DOS me, ... As usual, dear Peter, while I truly respect and admire your ... But that can't be the case for someone who has failed login attempts, ... A DOS attack is not a break-in. ...
    (comp.os.linux.misc)
  • Re: ssh brute force attacks
    ... >> If he spoofs X AND THEN does some failed password attempts, yes, your ... >> to want to do a DOS on you. ... What if someone spoofs the IP?" ... or login timeout is exceeded at every attempt. ...
    (comp.os.linux.misc)
  • log in IMMEDIATELY log off, even Admin
    ... returns to login screen. ... In safe mode I login as Administrator and it does the same thing. ... What I wanted to do is go to DOS and restore win.ini, ... System came from Wal-Mart with only restore CD. ...
    (microsoft.public.windowsxp.help_and_support)
  • Re: Did I give up on telnet too easily?
    ... Peter T. Breuer wrote: ... some program called as part of the login process, ... next time, if you must reply to a dumb post, reply with facts, not insults. ...
    (comp.os.linux.networking)