SSH scans vs connection ratelimiting


For months now, we're all seeing repeated bruteforce attempts on SSH. I've configured my pf install to ratelimit TCP connections to port 22 and to automatically add IP-addresses that connect too fast to a table that's filtered:

table <lamers> { }

block quick from <lamers> to any

pass in quick on $ext_if inet proto tcp from any to ($ext_if) port 22 modulate state (source-track rule max-src-nodes 8 max-src-conn 8 max-src-conn-rate 3/60 overload <lamers> flush global)

This works as expected, IP-addresses are added to the 'lamers'-table every once in a while.

However, there apparently are SSH bruteforcers that simply use one connection to perform a brute-force attack:

Aug 18 00:00:01 aberdeen sshd[87989]: Invalid user serwis from
Aug 18 00:00:03 aberdeen sshd[88010]: Invalid user serwis from
Aug 18 00:00:05 aberdeen sshd[88012]: Invalid user serwis from
Aug 18 00:00:10 aberdeen sshd[88014]: Invalid user serwis from
Aug 18 00:00:13 aberdeen sshd[88019]: Invalid user serwis from
Aug 18 00:00:14 aberdeen sshd[88021]: Invalid user serwis from

My theory was/is that this particular scanner simply multiplexes multiple authentication attempts over a single connection. I 'used the source luke' of OpenSSH to find support for this theory, but found the source a bit too wealthy for my brain to find such support.

So, my question is: Does anyone know how this particular attack works and if there's a way to stop this? If my theory is sound and OpenSSH does not have provisions to limit the authentication requests per TCP session, I'd find that an inadequacy in OpenSSH, but I'm probably missing something here :)

freebsd-security@xxxxxxxxxxx mailing list
To unsubscribe, send any mail to "freebsd-security-unsubscribe@xxxxxxxxxxx"

Relevant Pages

  • RE: Configure Hardware Firewall for SBS 2003
    ... the corresponding ports to the SBS box. ... When a router is deployed at the SBS end, you must forward the port numbers ... TCP 110 This port is used for POP3 mail clients. ... TCP 1723 PPTP VPN connection ...
  • Re: ipfw and nmap
    ... > even be correct but I have a bsd box that is simply providing me SSH ... add allow tcp from any to me 22 setup in via fxp0 keep-state ... Note too that there is nothing to prevent port scanners simply setting ... the 'SYN' flag in the probe packets they send to your server. ...
  • Re: HTTP DDoS attack on our servers
    ... A quick googling for TCP port 45836 turns up the following page at ... The worm creates a remote access server by listening on TCP ... > Basically,> 8.000 IP numbers are sending HTTP requests to our server on ... > connection after the first sent line, ...
  • UPDATE: Re: Question regarding SSH via Lantronix SCS100
    ... to do SSH and to authenticate the SSH connection with a local ... unexpectedly closed connection'. ... CONSOLE or AUX port on the router, or does it matter, and what ...
  • Re: Looking for program that emails me when dhcp addr changes
    ... For SSH all you need forwarded is TCP Port 22... ... >>participate in TCP connections or UDP conversations it initiates but ...