On Thu, 2004-11-04 at 23:49, Scot L. Harris wrote: > At what point does the system log the ssh attempt? If it is after the > initial 3 way handshake then I think an ssh attempt could be spoofed > without having to receive packets back from the target system. From > what I can tell it appears that when you initiate an ssh attempt the > standard 3 way handshake is started. You send a SYN packet, the target > sends a SYN ACK packet. Normally since you would not get the SYN ACK > packet the connection would not be completed. However if you > manufacture a ACK packet and send that a few seconds after you send the > SYN packet I think you would have a good chance of completing the > handshake. If that gets logged as an SSH attempt then the active > response system in place may block the spoofed sender IP address. I have tried that. You have to have your login and password transmitted before the log entry appears through syslog (which makes sense, as the credentials appear in the log as well). I believe it's pretty hard to "pre-guess" (what a word) the authentication/encryption handshake to spoof an IP ;-) -- HaJo Schatz <hajo@xxxxxxxx> http://www.HaJo.Net PGP-Key: http://www.hajo.net/hajonet/keys/pgpkey_hajo.txt