[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Great IP Auto-Ban script

On Fri, 2006-09-01 at 16:01 -0400, David Desrosiers wrote: 
> > However I was told that ssh has no restriction of this type.
> Nor does it need one, iptables does what you want. You can even set it to 
> drop the IPs after 'n' number of minutes, hours, days, weeks or whatever.
> For me, I just block port 22 from everywhere, and allow it from IPs I know 
> and trust, including one public machine out on the net for when I travel. 
> My LAN is pretty high visibility, so I try to lock things down as much as 
> possible.

Ok, so this mostly makes sense so far - only trust connections from
known trusted IPs

> When I'm in $RANDOM_HOTEL on travel, I just ssh into this external public 
> machine from the hotel LAN, check my connected IP is, ssh from the public 
> machine (which I trust) into my own LAN and open port 22 for the hotel's 
> /24. From there, I can then ssh directly from the hotel to my LAN without 
> any issues.

This doesn't completely work, though.  For two reasons.

First, the public machine you trust is not secure enough.  If *your*
machine requires that ssh and the strength of your password not be
trusted, how is it acceptable to trust another machine which trusts both
of those things?  Presumably, the public machine also has more accounts,
and thus more potentially weak passwords.  Even if not, it's *still*
more vulnerable, and open to attack which could eventually end up with
something that logs keystrokes, allowing an attacker to get access to
your machine.  It's like that "a chain's only as strong as its weakest
link" thing...

Second, you're opening up a whole netblock for a period of time, instead
of just one IP.  On the surface, opening up just the netblock that the
hotel (and whoever else is a client of their ISP) sounds more safe than
opening up to the whole Internet.  But consider who's more likely to
attack the machine you're connecting to - some random script kiddie, or
someone sitting in the hotel, watching traffic.  I think it's more
likely that someone would find interesting attack targets on a hotel
network, personally, than by randomly scanning the Internet.  So, by
opening up the whole hotel's block, you're actually opening up to a set
of IPs that are *more* likely to mount an attack.

"But, it's more convenient to open up the whole hotel netblock - what if
my IP changes?"  Wouldn't it be even more convenient to just open up ssh
to the world when you leave for your travels, and then close it back up
when you return?  Then you don't have to permanently trust a machine
that is less secure that yours, and you don't have that extra "what's my
IP" step.  The port-knocking thing looks neat, too, but it's still
potentially duplicatable by an informed man-in-the-middle ("huh, why all
these connects with no data sent?")...

Anyway, not to gripe - there's always *something* wrong with whatever
security approach.  Just pointing things that are relevant to consider,
and which some may not have thought about...


To unsubscribe, send email to majordomo@luci.org with
"unsubscribe luci-discuss" in the body.