Your right they wouldn't get all of the way through. The three way handshake is great against blind spoofing attacks. That said the original poster was focused on a DOS event,to do that you really don't need the full handshake. I'm not sure if the end goal of whomever we were dealing with was to DOS us or if was some screwed up half open syn scans, or my personnel guess it was to generate enough bogus log traffic to hide which connections were legitimate threats. Either way enough inbound SYN connections on port 22 would tip over the servers, this was LONG ago circa 97~99, so the traffic we saw was an effective DOS. We had inetd calling ssh and also telnet (Change comes slowly and cyrpto was painful to implement for us at the time). In our setup inetd decided to log the sessions both ssh and telnet as soon as the daemon was called. So even if we didn't do the full session setup the machine would still log an event for each tcp session. In hindsight we could have cleaned it up so that it wouldn't log before completing the handshake or tweaked the perl script to filter them out but I was a newbie at that point and placing ACLs in my border router to drop inbound ssh traffic that didn't come from netblocks I expected and moving off of the default port were the easiest solutions at the time. Now it would be trivial to setup syslog and sshd to give only the sessions that complete the handshake, however I'm also not sure how responsive some of the abuse contacts may be. I'll keep my restrictive network settings for the time being. Sam Moats On 2013-11-12 20:43, William Herrin wrote:
On Tue, Nov 12, 2013 at 4:52 PM, Sam Moats <sam@circlenet.us> wrote:
We used to use a small perl script called tattle that would parse out the /var/log/secure on our *nix boxes, isolate the inbound ssh exploits, lookup the proper abuse contacts and report them. I haven't seen anything similar in years but it would be interesting to do more than null route IPs.
The problem we had with the automated reporting was dealing with spoofed sources, we see lots of traffic that is obviously hostile but unless it becomes serious enough to impact performance we rarely report it. An automated system didn't seem to fit anymore due to false positives.
Hi Sam,
Out of curiosity -- how does one get a false positive on an ssh exploit attempt? Does the origin IP not have to complete a 3-way handshake before it can attempt an exploit?
Regards, Bill Herrin