[Denyhosts-user] a paranoid question

Tue, 25 Apr 2006 08:32:58 -0700 

Hello,

I'm a new user of DenyHosts, and am very happy to use it.  I used to
block hosts manually when I was looking at my machine, but now
DenyHosts take care of it for me -- and much more quickly than I did. 
Thank you!

Now I'd like to ask you a question.  DenyHosts permits users to sync
blocked hosts data, and it seems to be a very nice feature to hold
worldwide brute-force attacks.  But would it be possible for an
attacker to set up a legitimate DenyHosts in a forged environment, in
order to, for instance, block ssh access (from each other) among
specific hosts?

Suppose one set up a local network, and from another host in the
network, with some sourceforge's IP, and brute-force the internal ssh
server.  The host would then block the internal host, and when syncing
data to DenyHosts server, would send the blocked IP which is
supposedly from sourceforge.  Others users sync data, and also block
sourceforge's IP.  no more valid ssh access from sourceforge to your
host.

Alternatively, one may set up an environment in order to ssh-DoS 2
known hosts.  She installs  DenyHosts on both hosts, with forged IPs
from the valid hosts she wants to cause trouble, and brute-force each
other.  After successfully blocked (each other), she allows DenyHosts
to upload the blocked hosts data.  Knowing that both valid hosts also
use DenyHosts and sync blocked data, it's a matter of time for the
valid user "johndoe" for not being able to connect from his host to
the other valid host.

A possible solution would be the use of manually approved gpg keys in
order for the servers to accept signed blocked hosts data.  For
example, I tell you that I would like to submit data, you ask my gpg
key, and all submitted data is tied to a specific gpg key.  In the
case I send bogus data (although with valid signatures), you may
easily drop all data submitted by me.  If the user is not able to
secure its own gpg key, then it's better she does not submit any data
at all.  The downside would be the drop of submitting users count.

>From my understanding, this is possible but not very useful (requires
some setup and time), and could be used to retaliate DenyHosts users. 
This stuff sounds crazy, but are there any thoughts about it?

Thanks in advance, and kudos for the developers!  :)

--
Ricardo Nabinger Sanchez
GNU/Linux #140696 [http://counter.li.org]
Slackware Linux + FreeBSD


-------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid0709&bid&3057&dat1642
_______________________________________________
Denyhosts-user mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/denyhosts-user

Reply via email to