0

I am running a Debian wheezy server with fail2ban installed, everything works as expected but recently my own server got banned. I added the server's IP in the exception row and it seems to work, but here the question..

Is it possible that someone simulates/spoofs the server's IP to do a brute force attack ? If so, how can that be detected ?

spacebiker
  • 358
  • 4
  • 14
  • Brute force against which service? Maybe your fail2ban reacts to a spoofed ip. Check your fail2ban.log to get more information why your host/ip is banned. – deagh Sep 05 '14 at 14:35
  • 1
    IP spoofing won't do them any good since they have no way of getting the replies (and thus knowing if their credentials were correct). Also, SSH (like about any protocol that runs on top of TCP) needs a first reply to be received even before sending the actual application data (in your case, the SSH credentials). –  Sep 05 '14 at 16:07
  • @deagh, against almost every service configured in fail2ban, fail2ban-apache-noscript, fail2ban-apache-badbots, fail2ban-apache, fail2ban-apache-scan, fail2ban-courierauth, couriersmtp, etc.. .. the server external IP got banned for them all. – spacebiker Sep 05 '14 at 16:25
  • @AndréDaniel, do you mean the server's ip could not be spoofed? – spacebiker Sep 05 '14 at 16:26
  • @spacebiker it can, for denial of service attacks for example. But anything that requires two-way communication (basically any successful TCP connection) is spoofing-proof. –  Sep 05 '14 at 16:28
  • The funny thing is that logs do not show any record banning the server IP, i checked also archived logs. I have removed the server's ip from the exception list in jail.conf, just for security, and i will check if it gets banned again. – spacebiker Sep 05 '14 at 16:35

1 Answers1

0

Any request which requires two-way communication, such as SSH would not allow address spoofing because the server must be able to communicate back to the originating server.

Requests which do not require reverse communication, such as DDOS, where the attacker doesn't care whether or not they receive the response can have spoofed source addresses. Unfortunately, there's not much you can do about that.

Daniel Scott
  • 420
  • 3
  • 11