On Thu, 2004-10-28 at 03:37, HaJo Schatz wrote: > I have hacked a script which tails /var/log/secure and reacts on attempts > to log in as root with password. Such offending IPs are then denied port > 22 access. Any comments, positive or negative, on this? Scot L. Harris wrote: > Just be careful how you set this up. If the hacker figures out you are > performing automatic blocks they can write a script to spoof addresses > and cause your system to auto block addresses that you might want to > allow. Not unless they have control of the routers between the server and the (spoofed) client, in which case they can cut you off anyway. SSH uses TCP. TCP isn't like UDP or ICMP: it's a connection-oriented protocol. That means that when client A sets up a connection to server B on port 22 (over which a SSH connection might be negotiated), A sends a packet to B, containing the IP address of A. Now this can be faked, but B will send back a packet to that IP address, containing data that A needs to know to set up the connection. If A fakes the IP address, it will never see the reply, and can't continue with the connection. James. (Technically, with certain sorts of network (principally Ethernet), an attacker might be able to spoof clients or servers on the same physical network segment. But this means that the attacking machine is within physical range, and physical responses are practical). -- E-mail address: james | "Face" on Mars proves to be optical illusion -- @westexe.demon.co.uk | NASA now investigating "vase" on Mars.