SSH IP blocking?
Felipe Figueiredo
philsf79 at gmail.com
Thu Apr 10 06:08:08 UTC 2008
On Wed 09 Apr 2008 16:09:36 Bart Silverstrim wrote:
> Felipe Figueiredo wrote:
> > On Wed 09 Apr 2008 15:43:02 Bart Silverstrim wrote:
> >> sudo /etc/rc.d/init.d/denyhosts restart. I configured it to
> >> download (and upload) lists to share bans and it REALLY populated
> >> the deny list,
> >
> > How hard is it make such an upload? Do you have to be authencated in
> > some form? If not, this can be seriously abused. In fact, some such
> > script kiddie could use it to block arbitrary IPs.
>
> It's not hard, it's just a setting in the file.
>
> No authentication.
>
> As for the abuse, I don't know of it happening...it most likely could,
> but it doesn't make much sense if it doesn't lock out access from your
> own machine and your whitelists even if they're in the list for
> denyhosts. All they'd do is lock themselves out from being able to
> abuse your system.
Not that fast. I'm talking about DoS here.
Even if the whitelist routines are bugless, one can block arbitrary IPs
from connecting to an arbitrary ammount of hosts that make use of the
listing service, without even a justificative or proof. This is hardly a
safe thing, specially coming from a security-aware application. This
seems actually a rather dumb and lazy thing to do, since reporters should
in fact report the activity to the originating network's managers,
instead of putting the IP in a public killfile. Remember, IP != person.
Also, you can't possibly predict that your safe host will be always
accessible (you could be even blocked from accessing it, if it uses the
same mechanism, nevermind network outages), in which case you would need
to access your box directly. On a side note, in many (most?) cases,
abusers are using dynamic IPs from ISPs so, in an anecdotal situation,
one can block a legitimate user that happened to get an IP that was just
used for an attack. I am assuming the list is not permanent, otherwise it
gets even worse.
In your home host this whole scenario may be acceptable, but certainly not
for multi-users hosts. OTOH, this is probably overkill for a home host
where you always connect from a few previously known hosts, since you are
feeding a potentially huge list of IPs and CIDRs that must not have
access, that wil have to be processed at connection time, instead of just
blocking everything other than the known IPs with iptables.
Also, in your home host you can change the port sshd listens to, and this
will have the same result, withhout any negative impact from huge lists
that grow unchecked. If you really like to experiment, you can block
everything from everywhere, and use a port knocking daemon to temporarily
open a port for you, when you need.
regards
FF
More information about the ubuntu-users
mailing list