[svlug] What to do about ssh hack attempts?
Joe.Buck at synopsys.COM
Wed Feb 1 17:59:25 PST 2006
On Wed, Feb 01, 2006 at 12:02:15PM -0800, Nick Austin wrote:
> On Wed, Feb 01, 2006 at 10:42:59AM -0800, Rick Moen wrote:
> > So, anyone who can simulate a dictionary ssh attack from spoofed source
> > IPs can force your system to DoS itself,
> Yes, anybody who can do this.
> > by causing it to blacklist
> > whatever IPs the person doing the remote probes wishes.
> So in order to spoof an ssh login, you need to spoof 17 packets, and packets
> 8 -> 14 require key exchanges. This means that you need packet 10, 12, and 14
> to get to the point where you could even feed sshd a password. This is on top
> of the TCP SEQ number guessing.
Provided that the blacklist doesn't kick in until after the point where
the attacker has successfully fed sshd several bad passwords, we then know
it's not a spoofed source IP. So it seems Rick's objection doesn't hold
More information about the svlug