Re: SSH scans vs connection ratelimiting



I'm maintaining a patch for OpenSSH portable that allows configurable
blocking(firewalling, ipfw,ipf,iptables) of such bruteforce attempts. I
will post it if anyone is interested in it.

Daniel Gerzo wrote:
Hello Pieter,

Saturday, August 19, 2006, 9:48:49 PM, you wrote:


Gang,



For months now, we're all seeing repeated bruteforce attempts on SSH.
I've configured my pf install to ratelimit TCP connections to port 22
and to automatically add IP-addresses that connect too fast to a table
that's filtered:



table <lamers> { }



block quick from <lamers> to any



pass in quick on $ext_if inet proto tcp from any to ($ext_if) port 22
modulate state (source-track rule max-src-nodes 8 max-src-conn 8
max-src-conn-rate 3/60 overload <lamers> flush global)




This works as expected, IP-addresses are added to the 'lamers'-table
every once in a while.



However, there apparently are SSH bruteforcers that simply use one
connection to perform a brute-force attack:



Aug 18 00:00:01 aberdeen sshd[87989]: Invalid user serwis from 83.19.113.122
Aug 18 00:00:03 aberdeen sshd[88010]: Invalid user serwis from 83.19.113.122
Aug 18 00:00:05 aberdeen sshd[88012]: Invalid user serwis from 83.19.113.122
Aug 18 00:00:10 aberdeen sshd[88014]: Invalid user serwis from 83.19.113.122
Aug 18 00:00:13 aberdeen sshd[88019]: Invalid user serwis from 83.19.113.122
Aug 18 00:00:14 aberdeen sshd[88021]: Invalid user serwis from 83.19.113.122




My theory was/is that this particular scanner simply multiplexes
multiple authentication attempts over a single connection. I 'used the
source luke' of OpenSSH to find support for this theory, but found the
source a bit too wealthy for my brain to find such support.



So, my question is: Does anyone know how this particular attack works
and if there's a way to stop this? If my theory is sound and OpenSSH
does not have provisions to limit the authentication requests per TCP
session, I'd find that an inadequacy in OpenSSH, but I'm probably
missing something here :)


try http://legonet.org/~griffin/openbsd/block_ssh_bruteforce.html
or my pet project http://danger.rulez.sk/projects/bruteforceblocker/


Regards,
Pieter




_______________________________________________
freebsd-security@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@xxxxxxxxxxx"



Relevant Pages

  • OpenSSH 3.9 released
    ... OpenSSH 3.9 has just been released. ... implementation and includes sftp client and server support. ... * Make sshdre-execute itself on accepting a new connection. ... PAM password authentication ...
    (SSH)
  • Re: Intermittent behavior connecting through Cisco 678 DSL modem
    ... > I've got opensshd running on a Suse 8.0 Linux box sitting on a LAN ... > which has a DSL internet connection via a Cisco 678 router. ... the Suse box has a Samba ... of openssh to be 3.4-p1 on the Suse box. ...
    (comp.security.ssh)
  • FW: OpenSSH connection Problem
    ... Subject: OpenSSH connection Problem ... general support queries. ... If you are not an intended recipient, you may not review, copy or ...
    (SSH)
  • Re: OpenSSH anomaly
    ... This morning we could not remotely login to the ... No record of the failed logins (we attempted ... The openssh version is ... Connection to 192.168.xxx.xxx closed by remote host. ...
    (Incidents)
  • Re: 2 SSH questions: why does it pause so much, and, can I keep connection alive?
    ... >I believe the server is behind a firewall. ... When a packet arrives, its source IP, ... then the connection is added to the state table. ... > Iım running OpenSSH 3.6.1 on Mac OSX. ...
    (comp.security.ssh)