block_ssh_guessers - Security

This is a discussion on block_ssh_guessers - Security ; Here's a script I wrote that watches for SSH password-guessing attempts and adds iptables rules to temporarily lock them out. It specifically watches for lots of "invalid user" messages, which is more characteristic of these SSH guessers than ones about ...

+ Reply to Thread
Page 1 of 3 1 2 3 LastLast
Results 1 to 20 of 49

Thread: block_ssh_guessers

  1. block_ssh_guessers

    Here's a script I wrote that watches for SSH password-guessing attempts
    and adds iptables rules to temporarily lock them out. It specifically
    watches for lots of "invalid user" messages, which is more
    characteristic of these SSH guessers than ones about wrong passwords.

    I found a 10-minute lockout causes most of these script kiddies to give
    up and go somewhere else. Except for this one attack that kept right on
    after the lockout was removed, and then through another lockout.

    I came across this fascinating-sounding "tarpit" option in the man page
    for iptables. Unfortunately, my kernel (2.6.13-15-default for OpenSuSE
    10.0) doesn't seem to have it enabled. It seems to me that would be a
    much more effective deterrent.

    Comments welcomed.
    ----
    #!/usr/bin/python
    #+
    # This script runs as a daemon, monitoring ssh password-guessing
    # attempts and blocking connections from the offending IP addresses.
    #
    # Created 2006 March 4 by Lawrence D'Oliveiro
    .
    # Fix hit expiry calls 2006 March 5.
    #-

    import sys
    import os
    import time
    import re
    import signal
    import syslog

    LogFileName = "/var/log/messages"

    NrGuesses = 6
    # number of "invalid user" messages to trigger blocking
    WithinInterval = 60
    # that number of "invalid user" messages must occur within this
    # number of seconds to trigger blocking
    BlockInterval = 600
    # addresses stay on the blocked list for this number of seconds
    # before being allowed access again

    SshGuessPattern = re.compile \
    (
    r"([a-zA-Z]{3})\s+([0-9]+)\s+([0-9]+)\[0-9]+)\[0-9]+)\s+\S+\s+"
    r"sshd\[[0-9]+\]\:\s+Invalid user \S+ from\s+(\S+)",
    re.IGNORECASE
    )
    IPv4Prefix = re.compile \
    (
    r"^\:\:ffff\.+)$",
    re.IGNORECASE
    )

    MonthNames = "JanFebMarAprMayJunJulAugSepOctNovDec"

    class HitAddress :
    """for keeping track of addresses I might need to block."""

    def Block(self) :
    """blocks the address, if not done so already."""
    if not self.Blocked :
    syslog.syslog("block %s" % self.Addr)
    Status = os.system("iptables --append INPUT --source %s -j
    DROP" % self.Addr)
    self.Blocked = True
    #end if
    #end Block

    def Unblock(self) :
    """unblocks the address, if it was blocked."""
    if self.Blocked :
    syslog.syslog("unblock %s" % self.Addr)
    Status = os.system("iptables --delete INPUT --source %s -j
    DROP" % self.Addr)
    self.Blocked = False
    #end if
    #end Unblock

    def AddHit(self, When) :
    """accumulates another password-guessing attempt from the address
    at the specified time, blocking the address if the threshold has
    been reached."""
    self.Hits.append(When)
    if \
    len(self.Hits) >= NrGuesses \
    and \
    When - self.Hits[len(self.Hits) - NrGuesses] \
    <= \
    WithinInterval \
    :
    self.Block()
    #end if
    #end AddHit

    def ExpireHits(self) :
    """called periodically to unblock a blocked address after the
    necessary interval has elapsed."""
    while len(self.Hits) > 0 and time.time() - self.Hits[0] >=
    BlockInterval :
    self.Hits = self.Hits[1:]
    #end while
    if len(self.Hits) == 0 :
    self.Unblock()
    #end if
    #end ExpireHits

    def __init__(self, Addr) :
    self.Addr = Addr
    self.Blocked = False # to begin with
    self.Hits = []
    #end __init__

    #end HitAddress

    Quitting = False
    def SetQuit(SignalNr, CurrentStack) :
    """ensures proper cleanup when someone tries to kill this process."""
    global Quitting
    Quitting = True
    #end SetQuit
    signal.signal(signal.SIGTERM, SetQuit)
    signal.signal(signal.SIGINT, SetQuit)
    signal.signal(signal.SIGQUIT, SetQuit)

    LogFile = None
    Hit = {}
    syslog.openlog \
    (
    "%s[%d]" % (os.path.basename(sys.argv[0]), os.getpid()),
    0,
    syslog.LOG_NOTICE | syslog.LOG_USER
    )
    while True :
    if LogFile == None :
    LogFile = file(LogFileName, "r")
    #end if
    while True :
    Line = LogFile.readline()
    if Line == "" :
    break
    Guesser = SshGuessPattern.match(Line)
    if Guesser != None :
    (MonthName, MonthDay, Hour, Minute, Second, SrcAddr) = \
    Guesser.groups()
    (MonthDay, Hour, Minute, Second) = \
    (int(MonthDay), int(Hour), int(Minute), int(Second))
    Month = MonthNames.find(MonthName) / 3 + 1
    (Year, CurMonth) = time.gmtime()[0:2]
    if Month > CurMonth :
    # pity syslog doesn't record year...
    Year -= 1
    #end if
    IPv4 = IPv4Prefix.match(SrcAddr)
    if IPv4 != None :
    SrcAddr = IPv4.group(1)
    #end if
    When = time.mktime((Year, Month, MonthDay, Hour, Minute,
    Second, 0, 0, -1))
    # don't you think it's stupid that syslog records local
    time
    # rather than UTC?
    # print "%s-%02d-%02d %02d:%02d:%02d = %s, SrcAddr %s" %
    (Year, Month, MonthDay, Hour, Minute, Second, When, SrcAddr) # debug
    if not Hit.has_key(SrcAddr) :
    Hit[SrcAddr] = HitAddress(SrcAddr)
    #end if
    Hit[SrcAddr].AddHit(When)
    #end if
    #end while
    LogFile.seek(0, 1) # reset EOF indication
    time.sleep(3)
    if Quitting :
    break
    if \
    os.path.realpath("/proc/self/fd/%d" % LogFile.fileno()) \
    != \
    os.path.realpath(LogFileName) \
    :
    # log has been rotated, close it so I'll open the new one
    # print "Logfile renamed" # debug
    LogFile.close()
    LogFile = None
    #end if
    for Addr in Hit.keys() :
    Hit[Addr].ExpireHits()
    if len(Hit[Addr].Hits) == 0 :
    # keep Hit list from growing without bounds
    del Hit[Addr]
    #end if
    #end for
    time.sleep(2) # give time for log rotation to complete
    if Quitting :
    break
    #end while
    if LogFile != None :
    LogFile.close()
    #end if
    for Addr in Hit.keys() :
    # don't leave any of my blocks behind
    Hit[Addr].Unblock()
    del Hit[Addr]
    #end for
    # print "Finished." # debug

  2. Re: block_ssh_guessers

    On Mon, 17 Apr 2006 10:57:53 +1200, Lawrence D'Oliveiro
    wrote:

    >#!/usr/bin/python

    ==-- SNIP --==

    This is useless because the line wrap destroys the syntax.

    Post a link to a .tar.gz file or forget it.
    --
    buck

  3. Re: block_ssh_guessers

    In article ,
    buck wrote:

    >On Mon, 17 Apr 2006 10:57:53 +1200, Lawrence D'Oliveiro
    > wrote:
    >
    >>#!/usr/bin/python

    >==-- SNIP --==
    >
    >This is useless because the line wrap destroys the syntax.
    >
    >Post a link to a .tar.gz file or forget it.


    You forgot the magic word...

  4. Re: block_ssh_guessers

    Lawrence D'Oliveiro gave the game away:
    > Here's a script I wrote that watches for SSH password-guessing attempts
    > and adds iptables rules to temporarily lock them out. It specifically

    [snip]
    > Comments welcomed.


    How does this compare to, say, fail2ban[0]?

    [0] http://fail2ban.sourceforge.net

    --
    Matt Alexander
    majelix@geh-hibidy-hoo-ha
    Student, Consumer, Tool.

  5. Re: block_ssh_guessers

    On 17.04.2006, U.P.:up wrote:
    > Lawrence D'Oliveiro gave the game away:
    >> Here's a script I wrote that watches for SSH password-guessing attempts
    >> and adds iptables rules to temporarily lock them out. It specifically

    > [snip]
    >> Comments welcomed.

    >
    > How does this compare to, say, fail2ban[0]?
    >
    > [0] http://fail2ban.sourceforge.net


    And how does fail2ban compare to, say, PAM antibrute-force module[0]?
    By the way, banning people trying to guess password is no protection at
    all. Banning is useful only for keeping logs clear.

    [0] pam_brute module,
    http://dynamit.im.pwr.wroc.pl/dozzie...pam/pam.tar.gz
    Common README for other modules in Polish only.

    --
    Feel free to correct my English
    Stanislaw Klekot

  6. Re: block_ssh_guessers

    On Mon, 17 Apr 2006, in the Usenet newsgroup comp.os.linux.security, in article
    , Lawrence D'Oliveiro wrote:

    >Here's a script I wrote that watches for SSH password-guessing attempts
    >and adds iptables rules to temporarily lock them out. It specifically
    >watches for lots of "invalid user" messages, which is more
    >characteristic of these SSH guessers than ones about wrong passwords.


    Why the fsck are you using passwords - use certificates instead.

    Why are you allowing connections from everywhere? Limit access to those
    addresses, or address ranges that you have reasonable expectation to want
    to have connecting.

    >I came across this fascinating-sounding "tarpit" option in the man page
    >for iptables. Unfortunately, my kernel (2.6.13-15-default for OpenSuSE
    >10.0) doesn't seem to have it enabled. It seems to me that would be a
    >much more effective deterrent.


    If you absolutely MUST allow connections from the world, and you can't
    be bothered to set up certificates, google for port knocking. When you
    want to connect, you _first_ try to connect (ftp, http, DOES NOT MATTER)
    to some high port that is closed. The firewall detects this attempt, and
    temporarily opens some OTHER port to that specific IP address, which is
    where you have your SSHD running. Once the connection is made, the hole
    can be closed, relying on the ESTABLISHED rule to keep the connection
    usable.

    Old guy

  7. Re: block_ssh_guessers

    In article ,
    ibuprofin@painkiller.example.tld (Moe Trin) wrote:

    >If you absolutely MUST allow connections from the world, and you can't
    >be bothered to set up certificates, google for port knocking.


    port-knocking--don't be bloody stupid.

  8. Re: block_ssh_guessers

    Lawrence D'Oliveiro wrote:
    > In article ,
    > ibuprofin@painkiller.example.tld (Moe Trin) wrote:
    >
    >> If you absolutely MUST allow connections from the world, and you can't
    >> be bothered to set up certificates, google for port knocking.

    >
    > port-knocking--don't be bloody stupid.


    Care to share why you think port-knocking is stupid? Love people who
    expect their opinion to be taken without foundation :-(

    --
    -bill davidsen (davidsen@tmr.com)
    "The secret to procrastination is to put things off until the
    last possible moment - but no longer" -me

  9. Re: block_ssh_guessers

    In article ,
    Bill Davidsen wrote:

    >Lawrence D'Oliveiro wrote:
    >> In article ,
    >> ibuprofin@painkiller.example.tld (Moe Trin) wrote:
    >>
    >>> If you absolutely MUST allow connections from the world, and you can't
    >>> be bothered to set up certificates, google for port knocking.

    >>
    >> port-knocking--don't be bloody stupid.

    >
    >Care to share why you think port-knocking is stupid?


    Ever heard of the term "replay attack"?

  10. Re: block_ssh_guessers

    Lawrence D'Oliveiro wrote:

    > In article ,
    > Bill Davidsen wrote:
    >
    >>Lawrence D'Oliveiro wrote:
    >>> In article ,
    >>> ibuprofin@painkiller.example.tld (Moe Trin) wrote:
    >>>
    >>>> If you absolutely MUST allow connections from the world, and you can't
    >>>> be bothered to set up certificates, google for port knocking.
    >>>
    >>> port-knocking--don't be bloody stupid.

    >>
    >>Care to share why you think port-knocking is stupid?

    >
    > Ever heard of the term "replay attack"?


    Ever hear of changing the sequence with each connection? As soon as the
    sequence is used, it's changed, you can replay (IF that is, you were ever
    able to get the sequence in the first place) all you want, the code you
    sniffed is invalid.

    Ever learn to think?

  11. Re: block_ssh_guessers

    Lawrence D'Oliveiro wrote:

    > In article ,
    > Bill Davidsen wrote:
    >
    >>Lawrence D'Oliveiro wrote:
    >>> In article ,
    >>> ibuprofin@painkiller.example.tld (Moe Trin) wrote:
    >>>
    >>>> If you absolutely MUST allow connections from the world, and you can't
    >>>> be bothered to set up certificates, google for port knocking.
    >>>
    >>> port-knocking--don't be bloody stupid.

    >>
    >>Care to share why you think port-knocking is stupid?

    >
    > Ever heard of the term "replay attack"?


    As I said in another message, a simple setup to change the sequence every
    time defeats any "replay attack". But even without a setup to change the
    sequence, it would be very difficult to get a sequence. One would have to
    be in the right place at the right time and be able to distinguish a knock
    from all the portscanning that goes on enternet wide. EVEN if someone gets
    the knocking sequence, they the sequence, they are NOT ON THE SYSTEM, they
    are at an open ssh port. So, it is far, far more difficult for someone to
    launch a buffer overflow attack against someone that uses port-knocking
    than it is to launch a buffer overflow attack against a port that is just
    left open, even if the user uses certificates.

  12. Re: block_ssh_guessers

    In article <1551761.ZgHNHj5mP8@rcn.com>,
    matt_left_coast wrote:

    >Lawrence D'Oliveiro wrote:
    >
    >> In article ,
    >> Bill Davidsen wrote:
    >>
    >>>Lawrence D'Oliveiro wrote:
    >>>> In article ,
    >>>> ibuprofin@painkiller.example.tld (Moe Trin) wrote:
    >>>>
    >>>>> If you absolutely MUST allow connections from the world, and you can't
    >>>>> be bothered to set up certificates, google for port knocking.
    >>>>
    >>>> port-knocking--don't be bloody stupid.
    >>>
    >>>Care to share why you think port-knocking is stupid?

    >>
    >> Ever heard of the term "replay attack"?

    >
    >Ever hear of changing the sequence with each connection? As soon as the
    >sequence is used, it's changed, you can replay (IF that is, you were ever
    >able to get the sequence in the first place) all you want, the code you
    >sniffed is invalid.
    >
    >Ever learn to think?


    What happens if somebody else uses the sequence first?

  13. Re: block_ssh_guessers

    Lawrence D'Oliveiro wrote:

    > In article <1551761.ZgHNHj5mP8@rcn.com>,
    > matt_left_coast wrote:
    >
    >>Lawrence D'Oliveiro wrote:
    >>
    >>> In article ,
    >>> Bill Davidsen wrote:
    >>>
    >>>>Lawrence D'Oliveiro wrote:
    >>>>> In article ,
    >>>>> ibuprofin@painkiller.example.tld (Moe Trin) wrote:
    >>>>>
    >>>>>> If you absolutely MUST allow connections from the world, and you
    >>>>>> can't be bothered to set up certificates, google for port knocking.
    >>>>>
    >>>>> port-knocking--don't be bloody stupid.
    >>>>
    >>>>Care to share why you think port-knocking is stupid?
    >>>
    >>> Ever heard of the term "replay attack"?

    >>
    >>Ever hear of changing the sequence with each connection? As soon as the
    >>sequence is used, it's changed, you can replay (IF that is, you were ever
    >>able to get the sequence in the first place) all you want, the code you
    >>sniffed is invalid.
    >>
    >>Ever learn to think?

    >
    > What happens if somebody else uses the sequence first?


    Message ID: <1260091.Phitpe1UFV@rcn.com>

    I use a 20 knock sequence against each knock can be a number between 1 and
    1024. Do the math, then tell me how you are going to get the sequence
    first. Good Luck trying to "brute force" the sequence.

    Even then, I am NO WORSE OFF THAN YOUR SYSTEM STARTS. For all your effort,
    all you have gotten is an open port. YOU HAVE NOT GOTTEN INTO THE SYSTEM.
    In fact, I'm still better off than if the port was just left open to the
    world, because it would be open to only ONE person. If I thought you had a
    realistic chance of getting the sequence, I could have it that you need to
    then login WITH the right login or get locked out.





  14. Re: block_ssh_guessers

    On Fri, 21 Apr 2006, in the Usenet newsgroup comp.os.linux.security, in article
    , Bill Davidsen wrote:

    >Lawrence D'Oliveiro wrote:


    >> ibuprofin@painkiller.example.tld (Moe Trin) wrote:


    >>> If you absolutely MUST allow connections from the world, and you can't
    >>> be bothered to set up certificates, google for port knocking.

    >>
    >> port-knocking--don't be bloody stupid.


    >Care to share why you think port-knocking is stupid? Love people who
    >expect their opinion to be taken without foundation :-(


    Apparently, if you use port-knocking, he believes you are not permitted to
    use any other means of authentication. So if the bad guy finds your port,
    you're screwed. It's a bit sad that he forgets that moving the daemon
    to a different port doesn't disable the (default) authentication mode.

    We used port-knocking in the early 1990s to help shield telnet. An
    contrary to his wildest dreams, we didn't have a problem with the
    authentication going over the wire as clear text because we used
    usernames that changed after every successful login. The change itself
    was trivial (had to be until we started using SecureID cards) but there
    was zero problem with port scanning. The passwords were dictated by a
    simple 'day-of-month' mod day-of-week' with a UTC time-of-day modification
    A bit of a pain to learn and set up, but adequate for what was being
    protected.

    Old guy

  15. Re: block_ssh_guessers

    ibuprofin@painkiller.example.tld (Moe Trin) (06-04-22 17:25:17):

    > > Care to share why you think port-knocking is stupid? Love people who
    > > expect their opinion to be taken without foundation :-(

    >
    > Apparently, if you use port-knocking, he believes you are not
    > permitted to use any other means of authentication. So if the bad guy
    > finds your port, you're screwed. It's a bit sad that he forgets that
    > moving the daemon to a different port doesn't disable the (default)
    > authentication mode.


    Still something like IPsec (which I use in my LAN) is a lot better than
    port-knocking. It defeats virtually any attack, because of
    cryptographic host authentication. You could filter non-authenticated
    traffic to your SSH port and others. By the way, that also defeats
    replay attacks mentioned in another subthread.


    Regards.

  16. Re: block_ssh_guessers

    Ertugrul Soeylemez wrote:

    > Still something like IPsec (which I use in my LAN) is a lot better than
    > port-knocking.


    How so? The two secure different things. If I secure my port with
    portknocking I can STILL use IPsec. The fact that you do act as if they are
    exclusionary methods makes me wonder if you know what you are talking
    about.

    > It defeats virtually any attack,


    Other that buffer-overflow attacks that your "leave the port open to the
    world" clearly allows but port-knocking helps defend against.

    > because of
    > cryptographic host authentication.


    Oh, it only guards against "authentication" attacks, not "virtually any
    attack" as you claim.

    > You could filter non-authenticated
    > traffic to your SSH port and others.


    But with port-knocking you can STILL do you're little filter thingy BUT the
    script kiddies would have to break port-knocking (something that is NOT AT
    ALL EASY TO DO) before they ever get to the point where your little script
    is even useful. My bet? If you use port-knocking, your little filter thingy
    would never get used.

    > By the way, that also defeats
    > replay attacks mentioned in another subthread.
    >


    As pointed out to you in that other subtread, replay attacks (if even a
    REALISTIC treat) can be prevented by just changing the port knocking
    sequence each login.

    Of course it is debateable that "replay attacks" are even a realistic
    threat. Yes, they are theoretically possible, but it is also possible that
    aliens will come to earth from the Andromeda Galaxy and give us technology
    that will break Ertugrul's IPsec system. The fact of the matter is, GETTING
    the port-knocking system is extremely unlikely. Even still, every bit of
    Ertugrul's "security" could still be used WITH THE ADVANTAGE that the port
    would still not be open to the whole world. Port-knocking would improve "
    Ertugrul's" system of security. If Ertugrul truly understood security, he
    would be able to see that.

  17. Re: block_ssh_guessers

    Moe Trin wrote:

    >>Care to share why you think port-knocking is stupid? Love people who
    >>expect their opinion to be taken without foundation :-(

    >
    > Apparently, if you use port-knocking, he believes you are not permitted to
    > use any other means of authentication. So if the bad guy finds your port,
    > you're screwed. It's a bit sad that he forgets that moving the daemon
    > to a different port doesn't disable the (default) authentication mode.


    Of course port knocking is a great method of security. The great advantage
    is, that if you implement port knocking and someone some how get a port
    knock sequence your system is STILL more secure than when you started. IF
    someone does get a sequence, all they get to is an open port, not logged
    into the system. The port is only open to a singe IP address, rather than
    the whole world (the common solution to allow mobile users to login from
    anywhere in the world over the internet). So, you add security that when
    the security is breached, you are still more secure than if you did not
    install the security. The person that breaches port-knocking still has not
    gained access to the system, only managed to open a port.

    >
    > We used port-knocking in the early 1990s to help shield telnet. An
    > contrary to his wildest dreams, we didn't have a problem with the
    > authentication going over the wire as clear text because we used
    > usernames that changed after every successful login. The change itself
    > was trivial (had to be until we started using SecureID cards) but there
    > was zero problem with port scanning. The passwords were dictated by a
    > simple 'day-of-month' mod day-of-week' with a UTC time-of-day modification
    > A bit of a pain to learn and set up, but adequate for what was being
    > protected.


    cool.



  18. Re: block_ssh_guessers

    On 25.04.2006, matt_left_coast wrote:
    > Ertugrul Soeylemez wrote:
    >
    >> Still something like IPsec (which I use in my LAN) is a lot better than
    >> port-knocking.

    >
    > How so? The two secure different things. If I secure my port with
    > portknocking I can STILL use IPsec. The fact that you do act as if they are
    > exclusionary methods makes me wonder if you know what you are talking
    > about.


    Have you already configured any IPsec tunnel? Especially with KLIPS
    (Openswan) implementation.

    >> It defeats virtually any attack,

    >
    > Other that buffer-overflow attacks that your "leave the port open to the
    > world" clearly allows but port-knocking helps defend against.


    I don't see how port knocking could help while IPsec couldn't.

    >> because of
    >> cryptographic host authentication.

    >
    > Oh, it only guards against "authentication" attacks, not "virtually any
    > attack" as you claim.


    Try to connect to my NIS or NFS server. Go on. I've bound portmapper and
    the rest of RPC garbage to ipsec0 and I use X.509 certificates
    for mandatory authentication (i.e. no opportunistic encryption).

    --
    Feel free to correct my English
    Stanislaw Klekot

  19. Re: block_ssh_guessers

    Stachu 'Dozzie' K. wrote:

    > On 25.04.2006, matt_left_coast wrote:
    >> Ertugrul Soeylemez wrote:
    >>
    >>> Still something like IPsec (which I use in my LAN) is a lot better than
    >>> port-knocking.

    >>
    >> How so? The two secure different things. If I secure my port with
    >> portknocking I can STILL use IPsec. The fact that you do act as if they
    >> are exclusionary methods makes me wonder if you know what you are talking
    >> about.

    >
    > Have you already configured any IPsec tunnel? Especially with KLIPS
    > (Openswan) implementation.


    Read the topic of the tread: "Re: block_ssh_guessers" But hey, in order for
    IPsec to work, traffic has to be ALLOWED from an IP address. When person
    with a laptop is traveling around the world, are you going to let IKE
    packets on UDP port 500 (plus protocol 50) incoming and out going to
    everywhere in the world? Or would it be better and more secure to use port
    knocking to to configure the firewall to only allow the port 500 packets
    from (and to) the laptop's current position?


    http://www.freeswan.org/freeswan_tre.../firewall.html
    >
    >>> It defeats virtually any attack,

    >>
    >> Other that buffer-overflow attacks that your "leave the port open to the
    >> world" clearly allows but port-knocking helps defend against.

    >
    > I don't see how port knocking could help while IPsec couldn't.


    Never claimed IPsec couldn't help, but the SUBJECT OF THE THREAD IS
    "block_ssh_guessers" I was talking about securing ssh. If you are only
    connecting from well known addresses, then you can lock down to the known
    addresses. The issue for both ssh and IPsec is when you are travailing with
    a laptop and need to connect from ANY address anywhere in the world. You
    can open port 22 for ssh and port 500 for IPsec so that EVERYONE IN THE
    WORLD CAN TRY BUFFER ATTACKS AGAINST THEM, or you can use port-knocking to
    open the ports only to the current IP address of the laptop meaning that
    port 22 and port 500 are not just left open for just anyone to try to
    attack.

    >
    >>> because of
    >>> cryptographic host authentication.

    >>
    >> Oh, it only guards against "authentication" attacks, not "virtually any
    >> attack" as you claim.

    >
    > Try to connect to my NIS or NFS server. Go on. I've bound portmapper and
    > the rest of RPC garbage to ipsec0 and I use X.509 certificates
    > for mandatory authentication (i.e. no opportunistic encryption).


    Sure its secure from buffer overflow attacks? Are you sure you want to leave
    port 500 open for EVERYONE IN THE WORLD TO TRY BUFFER OVERFLOW ATTACKS?

    >



  20. Re: block_ssh_guessers

    On 25.04.2006, matt_left_coast wrote:
    > Stachu 'Dozzie' K. wrote:
    >
    >> On 25.04.2006, matt_left_coast wrote:
    >>> Ertugrul Soeylemez wrote:
    >>>
    >>>> Still something like IPsec (which I use in my LAN) is a lot better than
    >>>> port-knocking.
    >>>
    >>> How so? The two secure different things. If I secure my port with
    >>> portknocking I can STILL use IPsec. The fact that you do act as if they
    >>> are exclusionary methods makes me wonder if you know what you are talking
    >>> about.

    >>
    >> Have you already configured any IPsec tunnel? Especially with KLIPS
    >> (Openswan) implementation.

    >
    > Read the topic of the tread: "Re: block_ssh_guessers" But hey, in order for
    > IPsec to work, traffic has to be ALLOWED from an IP address.


    But hey, it doesn't have to be allowed if it's SSH traffic. Just ESP
    and, maybe, IKE traffic.

    >>>> It defeats virtually any attack,
    >>>
    >>> Other that buffer-overflow attacks that your "leave the port open to the
    >>> world" clearly allows but port-knocking helps defend against.

    >>
    >> I don't see how port knocking could help while IPsec couldn't.

    >
    > Never claimed IPsec couldn't help, but the SUBJECT OF THE THREAD IS
    > "block_ssh_guessers" I was talking about securing ssh. If you are only
    > connecting from well known addresses, then you can lock down to the known
    > addresses. The issue for both ssh and IPsec is when you are travailing with
    > a laptop and need to connect from ANY address anywhere in the world. You
    > can open port 22 for ssh and port 500 for IPsec so that EVERYONE IN THE
    > WORLD CAN TRY BUFFER ATTACKS AGAINST THEM, or you can use port-knocking to
    > open the ports


    ....so that EVERYONE IN THE WORLD CAN TRY BUFFER ATTACKS against port
    knocking daemon. Great.

    >>>> because of
    >>>> cryptographic host authentication.
    >>>
    >>> Oh, it only guards against "authentication" attacks, not "virtually any
    >>> attack" as you claim.

    >>
    >> Try to connect to my NIS or NFS server. Go on. I've bound portmapper and
    >> the rest of RPC garbage to ipsec0 and I use X.509 certificates
    >> for mandatory authentication (i.e. no opportunistic encryption).

    >
    > Sure its secure from buffer overflow attacks? Are you sure you want to leave
    > port 500 open for EVERYONE IN THE WORLD TO TRY BUFFER OVERFLOW ATTACKS?


    Are you sure your port knocking daemon doesn't have buffer overflows in
    pattern matching code? That's the same situation.

    --
    Feel free to correct my English
    Stanislaw Klekot

+ Reply to Thread
Page 1 of 3 1 2 3 LastLast