Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 20 Aug 2006 14:43:13 +0200
From:      Pieter de Boer <pieter@thedarkside.nl>
To:        freebsd-security@freebsd.org
Subject:   Re: SSH scans vs connection ratelimiting
Message-ID:  <44E858E1.7050809@thedarkside.nl>
In-Reply-To: <790a9fff0608191429p180c20celc7b9ebae811097cd@mail.gmail.com>
References:  <44E76B21.8000409@thedarkside.nl> <790a9fff0608191429p180c20celc7b9ebae811097cd@mail.gmail.com>

next in thread | previous in thread | raw e-mail | index | archive | help
Scot Hetzel wrote:

>> However, there apparently are SSH bruteforcers that simply use one
>> connection to perform a brute-force attack:
>>
>> Aug 18 00:00:01 aberdeen sshd[87989]: Invalid user serwis from 
>> 83.19.113.122
>> Aug 18 00:00:03 aberdeen sshd[88010]: Invalid user serwis from 
>> 83.19.113.122
>> Aug 18 00:00:05 aberdeen sshd[88012]: Invalid user serwis from 
>> 83.19.113.122
>> Aug 18 00:00:10 aberdeen sshd[88014]: Invalid user serwis from 
>> 83.19.113.122
>> Aug 18 00:00:13 aberdeen sshd[88019]: Invalid user serwis from 
>> 83.19.113.122
>> Aug 18 00:00:14 aberdeen sshd[88021]: Invalid user serwis from 
>> 83.19.113.122

> It looks as though you need to lower 'MaxAuthTries' in your
> sshd_config file, as the default is set to allow six authentication
> attempts per connection.

I had already lowered this value to '3', which apparantly does not 
matter at all. I even forgot that I did, which says enough ;)

Makes me wonder even more what's happening; even with 3 auth sessions 
per connection, that would mean only 9 attempts per minute should be 
possible. I'm seeing >100 attempts per minute, though.

-- 
Pieter





Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?44E858E1.7050809>