Re: SSH scans vs connection ratelimiting

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


On Sat, 19 Aug 2006, Pieter de Boer wrote:

Gang,

For months now, we're all seeing repeated bruteforce attempts on SSH. I've configured my pf install to ratelimit TCP connections to port 22 and to automatically add IP-addresses that connect too fast to a table that's filtered:

table <lamers> { }

block quick from <lamers> to any

pass in quick on $ext_if inet proto tcp from any to ($ext_if) port 22 modulate state (source-track rule max-src-nodes 8 max-src-conn 8 max-src-conn-rate 3/60 overload <lamers> flush global)


This works as expected, IP-addresses are added to the 'lamers'-table every once in a while.

However, there apparently are SSH bruteforcers that simply use one connection to perform a brute-force attack:

Aug 18 00:00:01 aberdeen sshd[87989]: Invalid user serwis from 83.19.113.122
Aug 18 00:00:03 aberdeen sshd[88010]: Invalid user serwis from 83.19.113.122
Aug 18 00:00:05 aberdeen sshd[88012]: Invalid user serwis from 83.19.113.122
Aug 18 00:00:10 aberdeen sshd[88014]: Invalid user serwis from 83.19.113.122
Aug 18 00:00:13 aberdeen sshd[88019]: Invalid user serwis from 83.19.113.122
Aug 18 00:00:14 aberdeen sshd[88021]: Invalid user serwis from 83.19.113.122


My theory was/is that this particular scanner simply multiplexes multiple authentication attempts over a single connection. I 'used the source luke' of OpenSSH to find support for this theory, but found the source a bit too wealthy for my brain to find such support.

So, my question is: Does anyone know how this particular attack works and if there's a way to stop this? If my theory is sound and OpenSSH does not have provisions to limit the authentication requests per TCP session, I'd find that an inadequacy in OpenSSH, but I'm probably missing something here :)

Isn't it the "MaxAuthTries" option for sshd which provides such functionality?
Please look for "MaxAuthTries" in the sshd_config(5) manpage for details.

regards
Joerg

- -- The beginning is the most important part of the work.
-Plato
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (FreeBSD)

iD8DBQFE54MNSPOsGF+KA+MRAh0GAJ45v4C9+xJ5vy+4BPltXwBxpKzzIwCePWa8
o/XSdoB2tFdMXQv1Yo1rwFU=
=dHjL
-----END PGP SIGNATURE-----
_______________________________________________
freebsd-security@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@xxxxxxxxxxx"

Relevant Pages

  • Re: SSH scans vs connection ratelimiting
    ... we're all seeing repeated bruteforce attempts on SSH. ... I've configured my pf install to ratelimit TCP connections to port 22 ... multiple authentication attempts over a single connection. ...
    (FreeBSD-Security)
  • RE: [BSD6] SSH Restriction
    ... We have one user connect on server with ssh command and telnet argment to access on some router. ... The connection is not closed and cleaned properly. ... Unfortunately I didn't get it working with OpenSSH, ... allocates terminals while been root. ...
    (freebsd-current)
  • [opensuse] ssh weirdness - ssh connects then hangs after transferring a few bytes
    ... Has anyone else out there encountered problems with OpenSSH in opensuse 10.2? ... I'm having a weird problem connecting to certain servers: ssh connects ... connection problems do not occur consistently with OpenSSH 3.9p1 as ...
    (SuSE)
  • ssh root denied
    ... I have a Freebsd server 4.9 working in a closet without screen. ... So I would like to use it through ssh from another station with OpenSSH to configure it when I need it. ... Connection to 192.168.1.1 closed by remote host. ...
    (freebsd-questions)
  • Re: What is with Suns SSH Server?
    ... running AIX 5.2 and OpenSSH 3.6p1, as the orginal poster was using. ... OpenSSH_3.6p1, SSH protocols 1.5/2.0, OpenSSL 0x0090702f ... Now attempt a connection to a machine sparrow, which is a Sun running ... I've made a connection to the Sun. ...
    (comp.sys.sun.admin)