[svlug] What to do about ssh hack attempts?

[Nick Austin]

On Wed, Feb 01, 2006 at 10:42:59AM -0800, Rick Moen wrote:
> Quoting Jeff Frost (jeff at frostconsultingllc.com):
> 
> > You can find sshblack here:
> > http://www.pettingers.org/code/sshblack.html
> 
> So, anyone who can simulate a dictionary ssh attack from spoofed source
> IPs can force your system to DoS itself, 

Yes, anybody who can do this.

> by causing it to blacklist
> whatever IPs the person doing the remote probes wishes.

So in order to spoof an ssh login, you need to spoof 17 packets, and packets 
8 -> 14 require key exchanges. This means that you need packet 10, 12, and 14
to get to the point where you could even feed sshd a password. This is on top
of the TCP SEQ number guessing.

Now, I hate to use the word impossible, but I think that doing a DDoS against 
a box like this would be much easier. Or perhaps even getting plane tickets
from Russia, breaking into the house and stealing the hard drive would be
easier then trying to have this box blacklist itself.

Plus, even if you have a problem logging in yourself (A much bigger issue in 
my mind) these blocks are temporary.

On balance, this seems like a pretty reasonable system.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.svlug.org/archives/svlug/attachments/20060201/45f49509/attachment.bin