Hacker News new | ask | show | jobs
by awsthro00945 1632 days ago
"My logs and firewall are less cluttered" is not at all the correct metric to measure the security of your box.

IP address spoofing is a thing. Blocking CIDR ranges might protect you from low-effort, drive-by botnets that constantly scan the entire internet (which all should be completely mitigated by using certificate based auth anyway), but blocking based on IP address is absolutely not an effective control against a determined hacker.

You must consider your threat model. For your personal instance that you host hobby things on, you probably won't be targeted via IP spoofing. For any type of company, you should not be relying on CIDR blocking as part of your security layers. CIDR blocking is only effective at reducing the clutter of your logs, which is a convenience, not a security control. The real security control is using proper auth methods, which are so easy to do at this point that it's ridiculous for even a hobbyist to not do them.
1 comments
nyolfen 1631 days ago
my understanding is that spoofing only works for sessionless protocols or situations -- eg a single udp packet or a series of packets that do not rely on any kind of response, since the response (like a tcp ack, or a dh handshake) is routed to the spoofed address. this would not apply to ssh. what contexts are you thinking of?
link
ianhawes 1631 days ago
Yeah, the parent comment is not accurate. IP spoofing is only possible if you control the entire L4 stack.
link
DarylZero 1630 days ago
There's network-level "IP spoofing" and then there's just routing traffic through an IP-diverse botnet.
link
awsthro00945 1631 days ago
Why are you assuming that a determined attacker doesn't control your L4 stack? MITMs are a threat, your network could be compromised, routers (especially consumer routers) are rife with vulnerabilities. This is the entire reason "zero trust" is pushed.
link
unionpivo 1631 days ago
> ... determined attacker doesn't control your L4 stack?

Lets face it, for most businesses and pretty much all home users* the best they can hope to achieve is not to get owned by various automated attacks.

If some determined attacker is trying to get in, he will get in.

* Sure there are exceptions

link
nyolfen 1631 days ago
people who control the l4 stack probably aren't brute forcing my ssh server
link
awsthro00945 1631 days ago
"the attacker probably won't do that" is not a security control.
link
tremon 1631 days ago
"the attacker probably won't do that" is very much part of threat modeling, the #1 step in any serious security design.
link