fail2ban attack
February 26th, 2008 by webstersprodigy
I was talking about fail2ban running from my firewall and a certain IP being the only one allowed in (as specified in iptables). First of all, I should probably be using port knocking or something better for this scenario (in fact, after the comment I went ahead and put spa on the firewalls – something I’ve been meaning to do anyway for awhile now) but that’s beside the point.
fail2ban works by denying an ip address for x amount of time because of failed logins. It does this by using log entries from /var/log/auth.log and writing corresponding iptables rules. This is mostly for limiting ssh login failures.
Charlie mentioned that if you spoofed the ipaddress of the machine I was logging in from, you could maybe launch a dos by getting the legitimate machine banned. I pleaded the security through obscurity defense.
I think the attack would not succeed. Here’s what would happen.
1) An attacker sends a spoofed connection packet to my firewall with a legitimate ip address (so it makes it through my dummy firewall)
2) the ssh server responsds with a syn/ack to the correct ip address (not the attacker)
3) the correct ip address doesn’t know where this came from, so either drops it (in my case) or sends a RST packet if there are no firewall controls on the sender machine.
The point is that the handshake is never completed, so there is never a failed login entry in /var/log/auth, and it never gets so far as to fail2ban.
On the other hand, there are about a gazillion other dos attacks that would probably work. Welcome to the world of dos, which are extremely difficult to prevent. One of the most basic ways to mitigate would be to put a -m limit law in iptables, but there has got to be a better way. I’m looking into it now…