Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Secure-Shell
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Login Attempt Limits

from [Mark Senior] Network Security [Permanent Link]
Subject: RE: Login Attempt Limits
Date: Thu, 5 May 2005 16:47:21 -0600 
That would not be trivial - if they're spoofing source IPs, they're not
going to see the response packets, since the responses will go to the
spoofed source.  That would mean, the attackers have to 

(a) guess the initial sequence numbers, just to get a TCP handshake all
the way opened.  Difficult enough on most modern operating systems -
there are some interesting math papers that go largely over my head,
which suggest that it's wouldn't be altogether impossible - you might
get it to work once or twice a day if you're very clever.

(b) initiate a complete cryptographic handshake blindly - guess several
more random numbers, finally arriving at a valid session key, without
having been a party to any Diffie-Hellman negotiations.

A far easier DoS attack would involve simply exhausting your bandwidth
with a botnet.

Regards
Mark


-----Original Message-----
From: Price, Christopher
Sent: May 5, 2005 13:13
To: MPHMedia.Net; secureshell@securityfocus.com
Subject: RE: Login Attempt Limits


      Your proposal could lead to a DoS attack designed to 
deny large ranges of IP addresses access to your SSHD service 
by using IP spoofing, no?

-----Original Message-----
From: MPHMedia.Net 
Sent: Thursday, May 05, 2005 8:53 AM
To: secureshell@securityfocus.com
Subject: Login Attempt Limits

...

1. When an IP has failed attempts for different usernames 
within a short
period block that IP for some number of minutes. This would be done 
automatically using configuration file parameters. With this option I 
would block an IP for 30 minutes after three failed attempts with 
different usernames occuring under a minute.

2. Execute an IP block as above when there are 3 root user failures.

3. Execute an IP block as above when there are 5 same user failures.



This email and any files transmitted with it are confidential and intended 
solely for the use of the individual or entity to whom they are addressed. If 
you have received this email in error please notify the system manager. This 
message contains confidential information and is intended only for the 
individual named. If you are not the named addressee you should not 
disseminate, distribute or copy this e-mail.


This email and any files transmitted with it are confidential and intended 
solely for the use of the individual or entity to whom they are addressed. If 
you have received this email in error please notify the system manager. This 
message contains confidential information and is intended only for the 
individual named. If you are not the named addressee you should not 
disseminate, distribute or copy this e-mail.
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Cannot SSH from outside LAN, Stephen Warren
Next by Date:  Re: bash_logout and sftp, Steven W. Orr
Previous by Thread:  Re: Login Attempt Limits, Robert L Sowders
Next by Thread:  scp fails between hp-ux and aix, Hicks,Rodger
Indexes:  [Date] [Thread] [Top] [All Lists]