Re: ssh brute force attacks

From: Tony Lawrence (pcunix_at_gmail.com)
Date: 03/20/05 

Date: 20 Mar 2005 13:00:49 -0800

Peter T. Breuer wrote:
> Tony Lawrence <pcunix@gmail.com> wrote:
> >
> > OK. But that wasn't the question. If somebody wants to DOS me,
> > there's all kinds of ways to do so, and I don't see why BLOCKING
them
> > creates MORE opportunity.
>
> I don't understand why you don't understand what is said to you. It
is
> like meeting somebody who is blind to the colour red, and waving a
red
> flag under his nose, and then hearing him ask where the breeze is

Ayup. As usual, dear Peter, while I truly respect and admire your
intelligence and knowledge, your personality could use a long session
with an industrial sander. It seldom fails that you turn abusive when
someone is struggling to understand you, does it?

Oh, well, that's just the way you are, and your contributions are worth
it.. I'd rather have them without the abuse, but better that than not
at all.

>
> > What was originally said was:
> >
> > "Blocking IPs because of failed logins is a nice way introducing
> > DOS attacks against yourself. What if someone spoofs the IP?"

And that's the question. What if they spoof what IP? My public ? The
script isn't
that dumb. An internal private ip? Neither my router or my machine
are dumb enough to accept a packet on an interface it shouldn't have
come from. Someone else's public IP? Yes, as noted, I'll be
temporarily denying that innocent person. That's not "against
yourself", though, but if that's what he meant, great.

But that can't be the case for someone who has failed login attempts,
which is where this all started; if you are spoofing an ip, you aren't
ever going to know whether I ever responded to your login atttempt at
all!

So the only case where this makes any sense at all would be that xyz
tries to login to my machine, fails, attempts the magic number of times
in the magic time period, and gets locked out. Noticing this, he
decides to take revenge and starts a DOS attack with multiple spoofed
IP addresses.

I find that scenario more than extremely unlikely.

>
> > If somebody has deliberate intent to harm me, well, that's what
they
> > are going to do, isn't it? That's entirely a different condition
and
> > purpose from someone trying to break in.
>
> I don't understand what you mean. A DOS attack is not a break-in.
It's
> a denial of service. Plainly, if you can't log in to your own
machine,
> because your lock-out mechanism has been tricked by spoofing into
> locking you out, then you have been denied your usual service of a
login!

Cripes! The THREAD is about ssh brute force login attacks. Those are
the ip's we're talking about locking out.

And as I've said multiple times, why do you assume that a lock-out
script is dumb enough to lock an IP you know you need to use? Or that
it can't reset these after passage of a certain amount of time? Or
that it remains in place forever?

>
> What's the conceptual difficulty here?

I don't know. Perhaps that you keep ignoring what I ask and then set
up straw men to knock down with great derision? Does that feed
something inside you?

As I've said more than once, if someone has the desire to DOS me, they
are going to do so. I do not accept that blocking ip's of apparent
break in attempts in any way "is a nice way introducing
 DOS attacks against yourself". Neither you ar anyone else has said
anything that adequately defends that position.
  

-- 
Tony Lawrence

Relevant Pages

  • Re: ssh brute force attacks
    ... > login attempts. ... Voila: DOS. ... assuming that the blocking script is stupid ... whether or not you block failed logins. ...
    (comp.os.linux.misc)
  • Re: ssh brute force attacks
    ... > Peter T. Breuer wrote: ... Voila: DOS. ... But they are not trying to - they are DOSing the login service on ... whatever machine you set up the blocking mechanism via failed logins. ...
    (comp.os.linux.misc)
  • Re: ssh brute force attacks
    ... >> If he spoofs X AND THEN does some failed password attempts, yes, your ... >> to want to do a DOS on you. ... What if someone spoofs the IP?" ... or login timeout is exceeded at every attempt. ...
    (comp.os.linux.misc)
  • log in IMMEDIATELY log off, even Admin
    ... returns to login screen. ... In safe mode I login as Administrator and it does the same thing. ... What I wanted to do is go to DOS and restore win.ini, ... System came from Wal-Mart with only restore CD. ...
    (microsoft.public.windowsxp.help_and_support)
  • Re: ssh brute force attacks
    ... Yeah, right Peter. ... It's extremely unlikely that anyone would turn around a login attempt ... to a DOS attack, and you still ignore that it will be EXTREMELY ... It is EXACTLY what sshd does with MaxStartups; ...
    (comp.os.linux.misc)