Re: SSH scans vs connection ratelimiting
- From: Pieter de Boer <pieter@xxxxxxxxxxxxxx>
- Date: Sun, 20 Aug 2006 14:43:13 +0200
Scot Hetzel wrote:
However, there apparently are SSH bruteforcers that simply use one
connection to perform a brute-force attack:
Aug 18 00:00:01 aberdeen sshd[87989]: Invalid user serwis from 83.19.113.122
Aug 18 00:00:03 aberdeen sshd[88010]: Invalid user serwis from 83.19.113.122
Aug 18 00:00:05 aberdeen sshd[88012]: Invalid user serwis from 83.19.113.122
Aug 18 00:00:10 aberdeen sshd[88014]: Invalid user serwis from 83.19.113.122
Aug 18 00:00:13 aberdeen sshd[88019]: Invalid user serwis from 83.19.113.122
Aug 18 00:00:14 aberdeen sshd[88021]: Invalid user serwis from 83.19.113.122
It looks as though you need to lower 'MaxAuthTries' in your
sshd_config file, as the default is set to allow six authentication
attempts per connection.
I had already lowered this value to '3', which apparantly does not matter at all. I even forgot that I did, which says enough ;)
Makes me wonder even more what's happening; even with 3 auth sessions per connection, that would mean only 9 attempts per minute should be possible. I'm seeing >100 attempts per minute, though.
--
Pieter
_______________________________________________
freebsd-security@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@xxxxxxxxxxx"
- References:
- SSH scans vs connection ratelimiting
- From: Pieter de Boer
- Re: SSH scans vs connection ratelimiting
- From: Scot Hetzel
- SSH scans vs connection ratelimiting
- Prev by Date: Re: SSH scans vs connection ratelimiting
- Next by Date: Re: SSH scans vs connection ratelimiting
- Previous by thread: Re: SSH scans vs connection ratelimiting
- Next by thread: Re: SSH scans vs connection ratelimiting
- Index(es):
