On Tuesday 09 November 2004 02:52 pm, William Yang wrote:
> Philipp Kern wrote:
> > On Tue, 2004-11-09 at 15:43, William Yang wrote:
> >>There's an awful lot of "intrusion prevention" or "active response IDS"
> >>[and insert your favorite en-vogue terminology] out there in the market,
> >>and people buy it.
> >
> > Yes. But the software you mentioned doesn't block your own hosts as a
> > simple shellscript would do. That's what the original poster wanted... a
> > more or less ``simple'' script to parse /var/log/secure and block the
> > IPs using iptables.
>
> Uhm...  I suppose I read the request a little less literally.  It seems
> pretty clear -- at least to me -- that the original poster's idea is to
> limit ssh port probing using the features of the kernel-level firewall.
>    "Simple" seems to be a somewhat relative term here.  I take simple to
> be "the smallest amount of logic needed to accomplish the goal with the
> fewest adverse effects" rather than "the smallest amount of logic
> possible."

That would be correct.  SSH and the iptables rules are already configured to 
do sojme handling on spoofed packets, so the utility of this type of active 
defense as a DoS attack is pretty limited.  I suppose if I really wanted to 
avoid possible DoS, I could add a rule chain before the INPUT chain that 
explicitly allowed my IP's and sent all the packets past the INPUT chain to 
the rule chain that defines more fine-grained access corntrol.  I jsut don't 
see DoS as a real threat, since the packets need to hadshake before the login 
can progress anyway, wihch requires a real routable address, presumably 
outside my network.

 - Brian

--
gentoo-security@g.o mailing list