Whitelisting IP ranges: preventing DoS

Hi,

I like your answer to the ssh scanning attacks.

However, could I ask that you add a whitelisting feature?
For instance, as is added to this product: http://www.pettingers.org/code/sshblack.html#regex

The problem is that attackers could spoof the source IP address of ssh logon attempts to come from your own network, locking yourself out of your machine. This effectively is a Denial of Service, as your are unable to then connect to your own machine (it denies you service).

The simplest avoidance measure would be for BlockHosts to add a whitelisting feature, which prevented matching regexs from being blocked. This would mean that you could always guarentee to be able to connect to the server from that IP address.

Regards

Craig Macdonald

Already available?

At least one form of whitelisting is already available, the file INSTALL in the distribution explains it, here's a snippet:


# see "man 5 hosts_access" for details of the format of IP addresses,
#services, allow/deny options. Also see "man hosts_options"
#order of lines in this file is important, first matched IP address line
#is rule applied by hosts_access
#
# permanent whitelist addresses - these should always be allowed access

ALL: 127.0.0.1 : allow
ALL: 192.168.0. : allow

# permanent blacklist addresses - these should always be denied access

ALL: 10. : deny
ALL: 192. : deny
ALL: 172. : deny

# ----------------------------------------
# next section is the blockhosts section - it will add/delete entries in
# between the two marker lines (#---- BlockHosts Additions)
...

Could you provide a PoC

Could you provide a PoC about the spoofing part of your claim.

Which claim?

Not sure I understand - if you mean the discussion in the "Overview" section of the BlockHosts, that discussion
is carried much further, in detail, in the link provided there to the SSHD mailing list.