Date: Sun, 20 Aug 2006 18:59:36 +0200 From: Pieter de Boer <pieter@thedarkside.nl> To: freebsd-security@freebsd.org Subject: Re: SSH scans vs connection ratelimiting Message-ID: <44E894F8.5090505@thedarkside.nl> In-Reply-To: <f34ca13c0608200935w34279b4dle9cc6d5bfcac1d59@mail.gmail.com> References: <44E76B21.8000409@thedarkside.nl> <f34ca13c0608200935w34279b4dle9cc6d5bfcac1d59@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Constantine A. Murenin wrote: >> So, my question is: Does anyone know how this particular attack works >> and if there's a way to stop this? If my theory is sound and OpenSSH >> does not have provisions to limit the authentication requests per TCP >> session, I'd find that an inadequacy in OpenSSH, but I'm probably >> missing something here :) > This is just one thread that I've found now, called "is there a way to > block sshd trolling?": > http://arkiv.openbsd.nu/?ml=openbsd-misc&a=0&t=1325006. > > Most of these attacks come from compromised Linux hosts, so if you use > pf(4), you could easily block access to ssh port from any Linux > machine, and then you're mostly covered. :) See > http://arkiv.openbsd.nu/?ml=openbsd-misc&a=0&m=1332409. I'm not so much searching for a solution to the 'problem', but rather want to know why ratelimiting apparantly doesn't work for some of the scans. I see IP addresses being blocked just fine by the pf rule due to scans, but also see some other scans still succeed. Ratelimiting is one of the few solutions I can agree with, and it should simply work. Perhaps I should try running a tcpdump for a few days again to get a packet trace of such a 'succeeding' scan. Might show what's going on.. -- Pieter
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?44E894F8.5090505>