SSH IP blocking?

Felipe Figueiredo philsf79 at gmail.com
Thu Apr 10 06:08:08 UTC 2008 

On Wed 09 Apr 2008 16:09:36 Bart Silverstrim wrote:
> Felipe Figueiredo wrote:
> > On Wed 09 Apr 2008 15:43:02 Bart Silverstrim wrote:
> >> sudo /etc/rc.d/init.d/denyhosts restart.  I configured it to
> >> download (and upload) lists to share bans and it REALLY populated
> >> the deny list,
> >
> > How hard is it make such an upload? Do you have to be authencated in
> > some form? If not, this can be seriously abused. In fact, some such
> > script kiddie could use it to block arbitrary IPs.
>
> It's not hard, it's just a setting in the file.
>
> No authentication.
>
> As for the abuse, I don't know of it happening...it most likely could,
> but it doesn't make much sense if it doesn't lock out access from your
> own machine and your whitelists even if they're in the list for
> denyhosts.  All they'd do is lock themselves out from being able to
> abuse your system.

Not that fast. I'm talking about DoS here. 

Even if the whitelist routines are bugless, one can block arbitrary IPs 
from connecting to an arbitrary ammount of hosts that make use of the 
listing service, without even a justificative or proof. This is hardly a 
safe thing, specially coming from a security-aware application. This 
seems actually a rather dumb and lazy thing to do, since reporters should 
in fact report the activity to the originating network's managers, 
instead of putting the IP in a public killfile. Remember, IP != person.

Also, you can't possibly predict that your safe host will be always 
accessible (you could be even blocked from accessing it, if it uses the 
same mechanism, nevermind network outages), in which case you would need 
to access your box directly. On a side note, in many (most?) cases, 
abusers are using dynamic IPs from ISPs so, in an anecdotal situation, 
one can block a legitimate user that happened to get an IP that was just 
used for an attack. I am assuming the list is not permanent, otherwise it 
gets even worse.

In your home host this whole scenario may be acceptable, but certainly not 
for multi-users hosts. OTOH, this is probably overkill for a home host 
where you always connect from a few previously known hosts, since you are 
feeding a potentially huge list of IPs and CIDRs that must not have 
access, that wil have to be processed at connection time, instead of just 
blocking everything other than the known IPs with iptables. 

Also, in your home host you can change the port sshd listens to, and this 
will have the same result, withhout any negative impact from huge lists 
that grow unchecked. If you really like to experiment, you can block 
everything from everywhere, and use a port knocking daemon to temporarily 
open a port for you, when you need.

regards
FF

More information about the ubuntu-users mailing list