February 26, 2008 Leave a comment
I was talking about fail2ban running from my firewall and a certain IP being the only one allowed in (as specified in iptables). First of all, I should probably be using port knocking or something better for this scenario (in fact, after the comment I went ahead and put spa on the firewalls – something I’ve been meaning to do anyway for awhile now) but that’s beside the point.
fail2ban works by denying an ip address for x amount of time because of failed logins. It does this by using log entries from /var/log/auth.log and writing corresponding iptables rules. This is mostly for limiting ssh login failures.
If you spoofed the ipaddress of the machine I was logging in from, you could maybe launch a dos by getting the legitimate machine banned. Realistically, I think the attack would not succeed. Here’s what would happen.
- An attacker sends a spoofed connection packet to my firewall with a legitimate ip address (so it makes it through my dummy firewall)
- The ssh server responsds with a syn/ack to the correct ip address (not the attacker)
- The correct ip address doesn’t know where this came from, so either drops it or sends a RST packet if there are no firewall controls on the sender machine.
The point is that the handshake is never completed, so there is never a failed login entry in /var/log/auth, and it never gets so far as to fail2ban.