SSH scans vs connection ratelimiting

Chris rip at overflow.no
Sun Aug 20 00:34:26 UTC 2006 

I'm maintaining a patch for OpenSSH portable that allows configurable
blocking(firewalling, ipfw,ipf,iptables) of such bruteforce attempts. I
will post it if anyone is interested in it.

Daniel Gerzo wrote:
> Hello Pieter,
>
> Saturday, August 19, 2006, 9:48:49 PM, you wrote:
>
>   
>> Gang,
>>     
>
>   
>> For months now, we're all seeing repeated bruteforce attempts on SSH. 
>> I've configured my pf install to ratelimit TCP connections to port 22 
>> and to automatically add IP-addresses that connect too fast to a table
>> that's filtered:
>>     
>
>   
>> table <lamers> { }
>>     
>
>   
>> block quick from <lamers> to any
>>     
>
>   
>> pass in  quick on $ext_if inet proto tcp from any to ($ext_if) port 22
>> modulate state (source-track rule max-src-nodes 8 max-src-conn 8 
>> max-src-conn-rate 3/60 overload <lamers> flush global)
>>     
>
>
>   
>> This works as expected, IP-addresses are added to the 'lamers'-table 
>> every once in a while.
>>     
>
>   
>> However, there apparently are SSH bruteforcers that simply use one 
>> connection to perform a brute-force attack:
>>     
>
>   
>> Aug 18 00:00:01 aberdeen sshd[87989]: Invalid user serwis from 83.19.113.122
>> Aug 18 00:00:03 aberdeen sshd[88010]: Invalid user serwis from 83.19.113.122
>> Aug 18 00:00:05 aberdeen sshd[88012]: Invalid user serwis from 83.19.113.122
>> Aug 18 00:00:10 aberdeen sshd[88014]: Invalid user serwis from 83.19.113.122
>> Aug 18 00:00:13 aberdeen sshd[88019]: Invalid user serwis from 83.19.113.122
>> Aug 18 00:00:14 aberdeen sshd[88021]: Invalid user serwis from 83.19.113.122
>>     
>
>
>   
>> My theory was/is that this particular scanner simply multiplexes 
>> multiple authentication attempts over a single connection. I 'used the
>> source luke' of OpenSSH to find support for this theory, but found the
>> source a bit too wealthy for my brain to find such support.
>>     
>
>   
>> So, my question is: Does anyone know how this particular attack works 
>> and if there's a way to stop this? If my theory is sound and OpenSSH 
>> does not have provisions to limit the authentication requests per TCP 
>> session, I'd find that an inadequacy in OpenSSH, but I'm probably 
>> missing something here :)
>>     
>
> try http://legonet.org/~griffin/openbsd/block_ssh_bruteforce.html
> or my pet project http://danger.rulez.sk/projects/bruteforceblocker/
>
>   
>> Regards,
>> Pieter
>>     
>
>

More information about the freebsd-security mailing list