Re: Countering some types of SSH spoofing with NFTables

Subject: Re: Countering some types of SSH spoofing with NFTables
From: Lars Noodén <lars.nooden@xxxxxxx>
Date: Mon, 4 Nov 2024 15:50:09 +0200
In-reply-to: <66933c54-769b-4371-bbf7-b115a85de4c2@app.fastmail.com>
References: <d985d5e4-18b9-4f66-9e24-c7b1c9640caa@gmx.com> <f0624e62-0079-43aa-9bd9-28f820914263@app.fastmail.com> <66933c54-769b-4371-bbf7-b115a85de4c2@app.fastmail.com>
Ui-outboundreport: notjunk:1;M01:P0:BKjr2yIofag=;YERpgez1bqdXkB8zqvOQODNfV0e u27XxYL6sMcIh/5pe1nPGCLNVuuL8NbwqriKghECI+0jvYFWow577VDs62QsVQrPrMSi8t8CJ EK+KC5pseAY7ykNfUj7nAeDG6oQIc1V5y8ciPjomNwsdJTjqlymMgC+LPtfvJ3HXhtzbdZmaj hpQxaPCycfTcmT9fPnZyIF5ws1hN8uN9tNHzUX4Yc3/BtN1BYah0V8p5jIO93VyPo7Yjh/8Kl Neoa+vaUr570WfvmfN9DNFAq7Yz70XLV/xtf9/u92+xE3LXkx+b52Y04Gl0HahffN5WH9b8MC WxErkKOSUlzlxJOrdfHpSFN/Wy/25+Iwt8vyNSPzEfQEc5NoiyqNtAv//SBFtrnLJ23yi2mFi 5arNn0ng39fHnpep6pqNCnI9VVDZyj14WqrgxF2aW6znDwLFTPQEDYfkEtIWfEQl08kdxtVkZ CowSeQDahXulR8R8mzQBoxLr2KxRy8kFdO9NwFYoNuyATaoCoqBfsR3zcsJlEkY+T+OEebKQD ehap2TaH179x6nKDkhx5cLUt196x8v8nsqPCbPd3GU9RHmFqhFbgvVKmzG/7a4uubDxts958W UBWDqA3j0wAlVdW2rMLhPS6BhN0A6aEQr4Ctbm/Rg071wQffy8cbLL3e2JMdUcdrGh7JiAmLM c8jZHqIGgbmz9F272bp4yP216tCtD9yDqJTNVh1/uFwDUU8b5HNYxHzKhP7vXdSRGifaHwB3c exG0LeQWoXudhy+JVqHZeoAZ8ZJ8AFQDwkfNuEv7F1SmVDIiTk6Rkc=
User-agent: Mozilla Thunderbird

On 11/3/24 21:08, Kerin Millar wrote:
[snip]> Upon reading your post a second time, I noticed that your sample
ruleset already

contains a rule that depends upon connection tracking. As such, you could use
state matching to assist in accounting for backscatter.

[snip]

Thanks for the explanations and the NFTables rules.   I'll do some more
reading and experimenting.

/Lars

References:
- Countering some types of SSH spoofing with NFTables
  - From: Lars Noodén
- Re: Countering some types of SSH spoofing with NFTables
  - From: Kerin Millar
- Re: Countering some types of SSH spoofing with NFTables
  - From: Kerin Millar