How much of a linux security problem is "IP spoofing"?
772
I am using ConfigServer Security & Firewall (CSF) to limit port access to whitelist IP addresses. However I have heard that IP addresses can be spoofed. How wide-spread is this problem, and is it something I should be concerned with?
On a lot of consumer internet networks, I can just set my IP to that of the neighbors and have their IP, so yeah, IP's can be spoofed. Colocated servers also often share one subnet among different customers. Just DOS the machine so it goes down, take over its IP and you're done...
Anyway, it depends on your situation. Do you have data which you expect to be stolen, or tried to be stolen? Then you need more security than IP whitelisting. However, will it be a 'normal' (web)server, then usually even IP restrictions are only necessary for flakey software like PHPMyadmin. Software like SSH for instance won't just be cracked, because OpenSSH is strictly audited. Even DenyHosts (deny IP's that try to login frequently) is unnecessary and mostly annoying (I've been blocked out of my own machines quite frequently...).
My experience is that if you don't have data someone else wants, your biggest problem is automated scans for things like flakey PHP sites to send spam through. The most simple security measures, like IP whitelisting or running on a different port, are often enough for that.
Check out this question over on security stack exchange - lots of useful answers.
Possible risks:
Some risks:
SYN flooding from an IP that is not filtered.
Connection hijacking by learning the next sequence number
Bypass firewall and other defenses by acting as a legit source
IDLE scan
Smurf attack
DNS Cache Poisoning
And my accepted answer on that question:
Less of a direct risk, but also relevant is general traffic load. My take on this is to disallow as much as you can at the perimeter - this includes traffic types and ports you don't use, and also traffic which is effectively invalid. It is simple to do on most routers, and it means any deep inspection firewall has to trawl through less packets thus reducing the load.
On a lot of consumer internet networks, I can just set my IP to that of the neighbors and have their IP, so yeah, IP's can be spoofed. Colocated servers also often share one subnet among different customers. Just DOS the machine so it goes down, take over its IP and you're done...
Anyway, it depends on your situation. Do you have data which you expect to be stolen, or tried to be stolen? Then you need more security than IP whitelisting. However, will it be a 'normal' (web)server, then usually even IP restrictions are only necessary for flakey software like PHPMyadmin. Software like SSH for instance won't just be cracked, because OpenSSH is strictly audited. Even DenyHosts (deny IP's that try to login frequently) is unnecessary and mostly annoying (I've been blocked out of my own machines quite frequently...).
My experience is that if you don't have data someone else wants, your biggest problem is automated scans for things like flakey PHP sites to send spam through. The most simple security measures, like IP whitelisting or running on a different port, are often enough for that.
Check out this question over on security stack exchange - lots of useful answers.
Possible risks:
Some risks:
And my accepted answer on that question: