staticsafe a écrit : > On Sun, Jun 30, 2013 at 03:15:47PM +0200, Pascal Hambourg wrote: >> Redalert Commander a écrit : >>> ---------- Forwarded message ---------- >>> From: Igor Cicimov >>> >>>> You can block repeated attempts to log in with iptables using the >>>> 'recent' module, an alternative is 'fail2ban', which monitors your >>>> server logs (ssh, apache, and others) for failed login attempts and then >>>> adds an iptables rule for the offending IP. >> >> The 'recent' match is vulnerable to source IP address spoofing and can >> be abused to cause a DoS for the spoofed address. fail2ban is much less >> vulnerable to such attacks.
Jerry Stuckle a écrit : > I don't understand this statement. How is 'recent' more vulnerable to > source IP address spoofing than fail2ban? Both depend only on the > supplied address. The ruleset using the 'recent' match is based only on TCP packets with the NEW state, i.e. the initial SYN. A single SYN packet can be easily forged with a spoofed source address. Fail2ban is based on authentication failures, which first requires a TCP connection to be established with the 3-way handshake. As it involves a positive reply from the spoofed address, this is much harder to achieve, unless the attacker is in a special position on the network. > And how can recent 'be abused to cause a DoS...' any more than fail2ban? This is just the consequence of the above. > IP address spoofing with TCP, what? Yes. > That only works with UDP. No. It works with any mechanism which is based on a simple packet instead of a real "stateful" connection (including a positive reply). Which is the case here, see below. > (Hint - three way handshake for TCP). As I wrote above, the proposed rulesets using the 'recent' and 'limit' matches are only based on the initial SYN packets. They do not care about the 3-way handshake. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/51d07700.1090...@plouf.fr.eu.org
