S: ssh worms FAQ

> Thank you. Why isn't it recommended?

Found the answer in the faq:

"The reason for this is that a scan can be spoofed from any IP address
(see the -S option to nmap). If psad is configured to automatically block
scans then an attacker can spoof a scan, say, from www.yahoo.com and then
you will be parsing your firewall ruleset to discover why you can't browse
yahoo's website, (or you can just execute "psad --Flush" to remove any
auto-generated firewall rules)."

On Mon, 11 Oct 2004 05:40:44 +0000, Stephan Goeldi wrote:

>> Thank you. Why isn't it recommended?
>
> Found the answer in the faq:
>
> "The reason for this is that a scan can be spoofed from any IP address
> (see the -S option to nmap). If psad is configured to automatically block
> scans then an attacker can spoof a scan, say, from www.yahoo.com and then
> you will be parsing your firewall ruleset to discover why you can't browse
> yahoo's website, (or you can just execute "psad --Flush" to remove any
> auto-generated firewall rules)."

I do not believe in that. First of all I would not put a domain name
in the rule set since a name can be spoofed easily but it is harder to
spoof an IP address. Second there should be an
ignore file so that not all IPs are blocked.

I have started writing a shell script to do this since it is the only way
I can have total control. I tried swatch but although it does block
Failed logins it can not do things like..... block through
IPTABLES more than 3 failed logins coming from the same IP or ...
block through IPTABLES any IP coming more then 3 times to different
services.

I am going to give psad a try next.
mc

microcheap <me@mailinator.com> writes:

[snip]
>> "The reason for this is that a scan can be spoofed from any IP address
>> (see the -S option to nmap). If psad is configured to automatically block
>> scans then an attacker can spoof a scan, say, from www.yahoo.com and then
>> you will be parsing your firewall ruleset to discover why you can't browse
>> yahoo's website, (or you can just execute "psad --Flush" to remove any
>> auto-generated firewall rules)."
>
> I do not believe in that. First of all I would not put a domain name
> in the rule set since a name can be spoofed easily but it is harder to
> spoof an IP address. Second there should be an
> ignore file so that not all IPs are blocked.

You can't put a domain-name in an iptables command, nor should you ever put
a hostname in it either, for the simple reason that DNS might not be
working when the script runs, leading to major delays or errors.

Maintaining any kind of `ignore' file of sites you like to visit and
therefore should never be blocked by the bot is *way* too much hassle, and
if it doesn't happen on a frequent basis, you'll forget the possibility
exists and spend ages debugging it...

> I have started writing a shell script to do this since it is the only way
> I can have total control. I tried swatch but although it does block
> Failed logins it can not do things like..... block through IPTABLES more
> than 3 failed logins coming from the same IP or ... block through
> IPTABLES any IP coming more then 3 times to different services.

It makes me wonder what's wrong with simply either not providing the
service to everyone, or securing it properly behind the scenes - ie
ensuring none of your users have particularly obvious names or passwords in
the case of ssh.

~Tim
--
Bagpuss gave a big yawn, |piglet@stirfried.vegetable.org.uk
and settled down to sleep. |http://www.photoboxgallery.com/timhaynes

On Tue, 12 Oct 2004 13:54:33 +0100, Tim Haynes wrote:

> microcheap <me@mailinator.com> writes:
>
> [snip]
>>> "The reason for this is that a scan can be spoofed from any IP address
>>> (see the -S option to nmap). If psad is configured to automatically block
>>> scans then an attacker can spoof a scan, say, from www.yahoo.com and then
>>> you will be parsing your firewall ruleset to discover why you can't browse
>>> yahoo's website, (or you can just execute "psad --Flush" to remove any
>>> auto-generated firewall rules)."
>>
>> I do not believe in that. First of all I would not put a domain name
>> in the rule set since a name can be spoofed easily but it is harder to
>> spoof an IP address. Second there should be an
>> ignore file so that not all IPs are blocked.
>
> You can't put a domain-name in an iptables command, nor should you ever put
> a hostname in it either, for the simple reason that DNS might not be
> working when the script runs, leading to major delays or errors.
>
> Maintaining any kind of `ignore' file of sites you like to visit and
> therefore should never be blocked by the bot is *way* too much hassle, and
> if it doesn't happen on a frequent basis, you'll forget the possibility
> exists and spend ages debugging it...
>
>> I have started writing a shell script to do this since it is the only way
>> I can have total control. I tried swatch but although it does block
>> Failed logins it can not do things like..... block through IPTABLES more
>> than 3 failed logins coming from the same IP or ... block through
>> IPTABLES any IP coming more then 3 times to different services.
>
> It makes me wonder what's wrong with simply either not providing the
> service to everyone, or securing it properly behind the scenes - ie
> ensuring none of your users have particularly obvious names or passwords in
> the case of ssh.
>
> ~Tim
You are right. I do not provide the service to just anyone and I do
enforce strong passwords but when I see the logs and I see some hacked
computer trying to break into mine I just can not ignore it even though
Iam certain there is nothing to fear. A mechanism should be in place that
oversees this situation and acts right away by blocking the intruder.
Right now as it stands I will not know of this attempt until I view the
logs.

mc