[tlug] Host Blocking and Logfile Parsing

[Curt Sampson <cjs@example.com>]

I myself don't see the security advantage of blocking IPs based on the
ssh attacks; turn off password authentication and no password attack
will ever succeed anyway.

However, if you are doing things such as this, be careful how you're
parsing your logs. You have to keep in mind that your logs probably
contain data determined by the attacker, and thus if you're using
something like a shell script to parse it, you may be opening up far
larger security holes than you're closing. In the extreme case, you may
end up going from having a perfectly secure system to allowing anybody
to execute arbitrary commands as root on your system.

The thread that this message is a part of:

    http://archives.neohapsis.com/archives/fulldisclosure/2006-11/0434.html

discusses a shell script running as root and parsing logs that may or
may not have done sufficient quoting of log data to avoid arbitrary
command execution. (I didn't bother to read the whole thread, since the
security of this particular script isn't really of concern to me.)

In general, I'd avoid the use of Bourne shell, or any system that
might evaulate network data in an interpreter, for parsing log files.
Evaulating data is fraught with peril, and is usually very hard to get
correct. (Thus the idea of 'taint' mode in interpreters for languages
such as Perl and Ruby.) The particular attack above related to attempts
to log in as users with metacharacters in the login name:

    ssh 'foo bar `/sbin/halt`'@example.com

As always, stay simple, and don't get too clever.

cjs
--
Curt Sampson       <cjs@example.com>        +81 90 7737 2974