From owner-freebsd-security@FreeBSD.ORG Sun Aug 20 12:43:16 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7DF0A16A4DE for ; Sun, 20 Aug 2006 12:43:16 +0000 (UTC) (envelope-from pieter@thedarkside.nl) Received: from mail.thelostparadise.com (aberdeen.thelostparadise.com [193.202.115.174]) by mx1.FreeBSD.org (Postfix) with ESMTP id C522C43D49 for ; Sun, 20 Aug 2006 12:43:15 +0000 (GMT) (envelope-from pieter@thedarkside.nl) Received: from [195.16.84.91] (ip-84-91.members.virt-ix.net [195.16.84.91]) by mail.thelostparadise.com (Postfix) with ESMTP id BFD0961C39 for ; Sun, 20 Aug 2006 14:43:38 +0200 (CEST) Message-ID: <44E858E1.7050809@thedarkside.nl> Date: Sun, 20 Aug 2006 14:43:13 +0200 From: Pieter de Boer User-Agent: Thunderbird 1.5.0.4 (X11/20060611) MIME-Version: 1.0 To: freebsd-security@freebsd.org References: <44E76B21.8000409@thedarkside.nl> <790a9fff0608191429p180c20celc7b9ebae811097cd@mail.gmail.com> In-Reply-To: <790a9fff0608191429p180c20celc7b9ebae811097cd@mail.gmail.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Mailman-Approved-At: Sun, 20 Aug 2006 12:45:34 +0000 Subject: Re: SSH scans vs connection ratelimiting X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 20 Aug 2006 12:43:16 -0000 Scot Hetzel wrote: >> However, there apparently are SSH bruteforcers that simply use one >> connection to perform a brute-force attack: >> >> Aug 18 00:00:01 aberdeen sshd[87989]: Invalid user serwis from >> 83.19.113.122 >> Aug 18 00:00:03 aberdeen sshd[88010]: Invalid user serwis from >> 83.19.113.122 >> Aug 18 00:00:05 aberdeen sshd[88012]: Invalid user serwis from >> 83.19.113.122 >> Aug 18 00:00:10 aberdeen sshd[88014]: Invalid user serwis from >> 83.19.113.122 >> Aug 18 00:00:13 aberdeen sshd[88019]: Invalid user serwis from >> 83.19.113.122 >> Aug 18 00:00:14 aberdeen sshd[88021]: Invalid user serwis from >> 83.19.113.122 > It looks as though you need to lower 'MaxAuthTries' in your > sshd_config file, as the default is set to allow six authentication > attempts per connection. I had already lowered this value to '3', which apparantly does not matter at all. I even forgot that I did, which says enough ;) Makes me wonder even more what's happening; even with 3 auth sessions per connection, that would mean only 9 attempts per minute should be possible. I'm seeing >100 attempts per minute, though. -- Pieter