Date: Sat, 19 Aug 2006 23:37:30 +0200 From: Daniel Gerzo <danger@FreeBSD.org> To: Pieter de Boer <pieter@thedarkside.nl> Cc: freebsd-security@freebsd.org Subject: Re: SSH scans vs connection ratelimiting Message-ID: <47517034.20060819233730@rulez.sk> In-Reply-To: <44E76B21.8000409@thedarkside.nl> References: <44E76B21.8000409@thedarkside.nl>
next in thread | previous in thread | raw e-mail | index | archive | help
Hello Pieter,
Saturday, August 19, 2006, 9:48:49 PM, you wrote:
> Gang,
> For months now, we're all seeing repeated bruteforce attempts on SSH.
> I've configured my pf install to ratelimit TCP connections to port 22
> and to automatically add IP-addresses that connect too fast to a table
> that's filtered:
> table <lamers> { }
> block quick from <lamers> to any
> pass in quick on $ext_if inet proto tcp from any to ($ext_if) port 22
> modulate state (source-track rule max-src-nodes 8 max-src-conn 8
> max-src-conn-rate 3/60 overload <lamers> flush global)
> This works as expected, IP-addresses are added to the 'lamers'-table
> every once in a while.
> However, there apparently are SSH bruteforcers that simply use one
> connection to perform a brute-force attack:
> Aug 18 00:00:01 aberdeen sshd[87989]: Invalid user serwis from 83.19.113.122
> Aug 18 00:00:03 aberdeen sshd[88010]: Invalid user serwis from 83.19.113.122
> Aug 18 00:00:05 aberdeen sshd[88012]: Invalid user serwis from 83.19.113.122
> Aug 18 00:00:10 aberdeen sshd[88014]: Invalid user serwis from 83.19.113.122
> Aug 18 00:00:13 aberdeen sshd[88019]: Invalid user serwis from 83.19.113.122
> Aug 18 00:00:14 aberdeen sshd[88021]: Invalid user serwis from 83.19.113.122
> My theory was/is that this particular scanner simply multiplexes
> multiple authentication attempts over a single connection. I 'used the
> source luke' of OpenSSH to find support for this theory, but found the
> source a bit too wealthy for my brain to find such support.
> So, my question is: Does anyone know how this particular attack works
> and if there's a way to stop this? If my theory is sound and OpenSSH
> does not have provisions to limit the authentication requests per TCP
> session, I'd find that an inadequacy in OpenSSH, but I'm probably
> missing something here :)
try http://legonet.org/~griffin/openbsd/block_ssh_bruteforce.html
or my pet project http://danger.rulez.sk/projects/bruteforceblocker/
> Regards,
> Pieter
--
Best regards,
Daniel mailto:danger@FreeBSD.org
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?47517034.20060819233730>