Diomidis Spinellis blog dds logo

An Inadvertent Denial of Service Attack

 

If you're wondering why this blog was down for the past few hours, here is the story. In an earlier blog post I listed a small script I'm using to lock-away door knockers who attempt to break into our group's computer by trying various passwords. If you like puzzles, read the script again and think how it could be used against us by isolating our computer from the entire world.

Here is what happened. A local user had trouble with his password, and was trying to login from within the computer into the same computer. These attempts got logged as breakin attempts, and my script duly installed an ipfw filter to cut-off the offending computer. Trouble was that the offending computer was ours.

Here is a revised script that fixes the problem. 

#
# Scan sshd logs and add deny rules to the firewall
#
# Written by Diomidis Spinellis
# based on http://www.freebsdwiki.net/index.php/Block_repeated_illegal_or_failed_SSH_logins
#
#

# Set this to your hostname, or local users can launc a DoS attack
HOSTNAME=istlab.dmst.aueb.gr

if ipfw show | awk '{print $1}' | grep -q 20000 ; then
        ipfw delete 20000
fi

# This catches repeated attempts for both legal and illegal users
# No check for duplicate entries is performed, since the rule
# has been deleted.
awk '/sshd/ && (/Invalid user/ || /authentication error/) &&
    $(NF) != "'$HOSTNAME'" {try[$(NF)]++}
END {for (h in try) if (try[h] > 5) print h}' /var/log/auth.log |
while read ip
do
        ipfw -q add 20000 deny tcp from $ip to any  2>/dev/null
done
The story's moral is that building secure systems is a tricky business. Making the wrong assumptions can make an unsuspecting user launch a denial of service attack.

Acknowledgement: Many thanks to my colleague Markos Gogoulos who described to me the computer's problem in a clear way ("the computer is responding to pings but ssh and http appear to be filtered") that instantly led me to recognize the problem's cause. Had I found the problem myself or through a less precise description I would still be wondering why the computer was turining off most network connections every few minutes.

Comments   Toot! Share

Navigation
blog contents
dds blog
dds home
comments
« Suspend Windows from the Command Line
» Missing the Point
Tagged as


Become a Unix command line wizard
edX MOOC on Unix Tools: Data, Software, and Production Engineering
Debug like a master
Book cover of Effective Debugging
Compute with style
Book cover of The Elements of Computing Style
Syndication
This blog is also available as an RSS feed:

Recent posts
Twitter's overrated dissemination capacity (2023-04-02)
The hypocritical call to pause giant AI (2023-03-30)
AI deforests the knowledge’s ecosystem (2023-03-16)
How I fixed git-grep macOS UTF-8 support (2022-10-12)
The sorry state of software quality (2022-03-10)
Rather than alchemy, methodical troubleshooting (2021-11-27)
The Evolution of the Unix System Architecture (2021-06-18)
Reviving the 1973 Unix text to voice translator (2021-01-02)
Fast database UPDATE/DELETE operations (2020-12-10)
Raspberry Pi 400 vs ZX Spectrum (2020-11-02)

Last modified: Wednesday, October 8, 2008 10:10 am

Creative Commons Licence BY NC

Unless otherwise expressly stated, all original material on this page created by Diomidis Spinellis is licensed under a Creative Commons Attribution-NonCommercial 4.0 International License.