SSH scans vs connection ratelimiting
Scot Hetzel
swhetzel at gmail.com
Sat Aug 19 21:29:41 UTC 2006
On 8/19/06, Pieter de Boer <pieter at thedarkside.nl> wrote:
> This works as expected, IP-addresses are added to the 'lamers'-table
> every once in a while.
>
> However, there apparently are SSH bruteforcers that simply use one
> connection to perform a brute-force attack:
>
> Aug 18 00:00:01 aberdeen sshd[87989]: Invalid user serwis from 83.19.113.122
> Aug 18 00:00:03 aberdeen sshd[88010]: Invalid user serwis from 83.19.113.122
> Aug 18 00:00:05 aberdeen sshd[88012]: Invalid user serwis from 83.19.113.122
> Aug 18 00:00:10 aberdeen sshd[88014]: Invalid user serwis from 83.19.113.122
> Aug 18 00:00:13 aberdeen sshd[88019]: Invalid user serwis from 83.19.113.122
> Aug 18 00:00:14 aberdeen sshd[88021]: Invalid user serwis from 83.19.113.122
>
>
It looks as though you need to lower 'MaxAuthTries' in your
sshd_config file, as the default is set to allow six authentication
attempts per connection.
You'll find this in the sshd_config(5) man page.
Scot
--
DISCLAIMER:
No electrons were mamed while sending this message. Only slightly bruised.
More information about the freebsd-security
mailing list