From: Yaroslav H. <li...@on...> - 2007-09-07 20:34:42
|
On Fri, 07 Sep 2007, Peter Jay Salzman wrote: > > Besides, if you setup fail2ban to permanent ban on > > matches, what happens if the attacker is spoofing > > source headers for legit sites? like google or yahoo > > or something. > You can spoof an envelope, but you can't spoof an IP address. I need > to know where you are in order to talk to you. correct me if I am wrong -- in many instances where the logging occur without necessity to setup a connection (our lovely UDP -- in domain service for instance) or logging is to inform that TCP connection could not actually being setup (like not following the standard handshake) -- fail2ban can be fulled easily. Also I believe there are issues with TCP sequence predictionability etc which might attribute more to the problem. I should read about it more... > Pete -- .-. =------------------------------ /v\ ----------------------------= Keep in touch // \\ (yoh@|www.)onerussian.com Yaroslav Halchenko /( )\ ICQ#: 60653192 Linux User ^^-^^ [175555] |