SSH scans vs connection ratelimiting
Chris
rip at overflow.no
Mon Aug 21 01:33:05 UTC 2006
As requested, here you go. Please read the README file for further
information.
http://irchost.no/ssh-4.3p2+timelox+chroot.tgz
Chris wrote:
> On 20/08/06, Chris <rip at overflow.no> wrote:
>> I'm maintaining a patch for OpenSSH portable that allows configurable
>> blocking(firewalling, ipfw,ipf,iptables) of such bruteforce attempts. I
>> will post it if anyone is interested in it.
>>
>> Daniel Gerzo wrote:
>> > Hello Pieter,
>> >
>> > Saturday, August 19, 2006, 9:48:49 PM, you wrote:
>> >
>> >
>> >> Gang,
>> >>
>> >
>> >
>> >> For months now, we're all seeing repeated bruteforce attempts on SSH.
>> >> I've configured my pf install to ratelimit TCP connections to port 22
>> >> and to automatically add IP-addresses that connect too fast to a
>> table
>> >> that's filtered:
>> >>
>> >
>> >
>> >> table <lamers> { }
>> >>
>> >
>> >
>> >> block quick from <lamers> to any
>> >>
>> >
>> >
>> >> pass in quick on $ext_if inet proto tcp from any to ($ext_if)
>> port 22
>> >> modulate state (source-track rule max-src-nodes 8 max-src-conn 8
>> >> max-src-conn-rate 3/60 overload <lamers> flush global)
>> >>
>> >
>> >
>> >
>> >> This works as expected, IP-addresses are added to the 'lamers'-table
>> >> every once in a while.
>> >>
>> >
>> >
>> >> However, there apparently are SSH bruteforcers that simply use one
>> >> connection to perform a brute-force attack:
>> >>
>> >
>> >
>> >> Aug 18 00:00:01 aberdeen sshd[87989]: Invalid user serwis from
>> 83.19.113.122
>> >> Aug 18 00:00:03 aberdeen sshd[88010]: Invalid user serwis from
>> 83.19.113.122
>> >> Aug 18 00:00:05 aberdeen sshd[88012]: Invalid user serwis from
>> 83.19.113.122
>> >> Aug 18 00:00:10 aberdeen sshd[88014]: Invalid user serwis from
>> 83.19.113.122
>> >> Aug 18 00:00:13 aberdeen sshd[88019]: Invalid user serwis from
>> 83.19.113.122
>> >> Aug 18 00:00:14 aberdeen sshd[88021]: Invalid user serwis from
>> 83.19.113.122
>> >>
>> >
>> >
>> >
>> >> My theory was/is that this particular scanner simply multiplexes
>> >> multiple authentication attempts over a single connection. I 'used
>> the
>> >> source luke' of OpenSSH to find support for this theory, but found
>> the
>> >> source a bit too wealthy for my brain to find such support.
>> >>
>> >
>> >
>> >> So, my question is: Does anyone know how this particular attack works
>> >> and if there's a way to stop this? If my theory is sound and OpenSSH
>> >> does not have provisions to limit the authentication requests per TCP
>> >> session, I'd find that an inadequacy in OpenSSH, but I'm probably
>> >> missing something here :)
>> >>
>> >
>> > try http://legonet.org/~griffin/openbsd/block_ssh_bruteforce.html
>> > or my pet project http://danger.rulez.sk/projects/bruteforceblocker/
>> >
>> >
>> >> Regards,
>> >> Pieter
>> >>
>> >
>> >
>>
>
> I am interested in this patch thanks.
>
> Chris
> _______________________________________________
> freebsd-security at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to
> "freebsd-security-unsubscribe at freebsd.org"
>
>
More information about the freebsd-security
mailing list