From owner-freebsd-security@FreeBSD.ORG Sat Aug 19 19:48:57 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F2A7F16A4DF for ; Sat, 19 Aug 2006 19:48:57 +0000 (UTC) (envelope-from pieter@thedarkside.nl) Received: from mail.thelostparadise.com (aberdeen.thelostparadise.com [193.202.115.174]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6C62543D46 for ; Sat, 19 Aug 2006 19:48:56 +0000 (GMT) (envelope-from pieter@thedarkside.nl) Received: from [192.168.2.112] (i67156.upc-i.chello.nl [62.195.67.156]) by mail.thelostparadise.com (Postfix) with ESMTP id 5CC0561C77 for ; Sat, 19 Aug 2006 21:49:19 +0200 (CEST) Message-ID: <44E76B21.8000409@thedarkside.nl> Date: Sat, 19 Aug 2006 21:48:49 +0200 From: Pieter de Boer User-Agent: Thunderbird 1.5.0.5 (X11/20060803) MIME-Version: 1.0 To: freebsd-security@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Mailman-Approved-At: Sat, 19 Aug 2006 21:16:02 +0000 Subject: SSH scans vs connection ratelimiting X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 19 Aug 2006 19:48:58 -0000 Gang, For months now, we're all seeing repeated bruteforce attempts on SSH. I've configured my pf install to ratelimit TCP connections to port 22 and to automatically add IP-addresses that connect too fast to a table that's filtered: table { } block quick from to any pass in quick on $ext_if inet proto tcp from any to ($ext_if) port 22 modulate state (source-track rule max-src-nodes 8 max-src-conn 8 max-src-conn-rate 3/60 overload flush global) This works as expected, IP-addresses are added to the 'lamers'-table every once in a while. However, there apparently are SSH bruteforcers that simply use one connection to perform a brute-force attack: Aug 18 00:00:01 aberdeen sshd[87989]: Invalid user serwis from 83.19.113.122 Aug 18 00:00:03 aberdeen sshd[88010]: Invalid user serwis from 83.19.113.122 Aug 18 00:00:05 aberdeen sshd[88012]: Invalid user serwis from 83.19.113.122 Aug 18 00:00:10 aberdeen sshd[88014]: Invalid user serwis from 83.19.113.122 Aug 18 00:00:13 aberdeen sshd[88019]: Invalid user serwis from 83.19.113.122 Aug 18 00:00:14 aberdeen sshd[88021]: Invalid user serwis from 83.19.113.122 My theory was/is that this particular scanner simply multiplexes multiple authentication attempts over a single connection. I 'used the source luke' of OpenSSH to find support for this theory, but found the source a bit too wealthy for my brain to find such support. So, my question is: Does anyone know how this particular attack works and if there's a way to stop this? If my theory is sound and OpenSSH does not have provisions to limit the authentication requests per TCP session, I'd find that an inadequacy in OpenSSH, but I'm probably missing something here :) Regards, Pieter