Re: SSH scans vs connection ratelimiting



On 19/08/06, Pieter de Boer <pieter@xxxxxxxxxxxxxx> wrote:
Gang,

For months now, we're all seeing repeated bruteforce attempts on SSH.
I've configured my pf install to ratelimit TCP connections to port 22
and to automatically add IP-addresses that connect too fast to a table
that's filtered:

table <lamers> { }

block quick from <lamers> to any

pass in quick on $ext_if inet proto tcp from any to ($ext_if) port 22
modulate state (source-track rule max-src-nodes 8 max-src-conn 8
max-src-conn-rate 3/60 overload <lamers> flush global)


This works as expected, IP-addresses are added to the 'lamers'-table
every once in a while.

However, there apparently are SSH bruteforcers that simply use one
connection to perform a brute-force attack:

Aug 18 00:00:01 aberdeen sshd[87989]: Invalid user serwis from 83.19.113.122
Aug 18 00:00:03 aberdeen sshd[88010]: Invalid user serwis from 83.19.113.122
Aug 18 00:00:05 aberdeen sshd[88012]: Invalid user serwis from 83.19.113.122
Aug 18 00:00:10 aberdeen sshd[88014]: Invalid user serwis from 83.19.113.122
Aug 18 00:00:13 aberdeen sshd[88019]: Invalid user serwis from 83.19.113.122
Aug 18 00:00:14 aberdeen sshd[88021]: Invalid user serwis from 83.19.113.122


My theory was/is that this particular scanner simply multiplexes
multiple authentication attempts over a single connection. I 'used the
source luke' of OpenSSH to find support for this theory, but found the
source a bit too wealthy for my brain to find such support.

So, my question is: Does anyone know how this particular attack works
and if there's a way to stop this? If my theory is sound and OpenSSH
does not have provisions to limit the authentication requests per TCP
session, I'd find that an inadequacy in OpenSSH, but I'm probably
missing something here :)

There were tons of discussions on this topic on misc@OpenBSD mailing
list, so you can try searching the archives for some more ideas.

This is just one thread that I've found now, called "is there a way to
block sshd trolling?":
http://arkiv.openbsd.nu/?ml=openbsd-misc&a=0&t=1325006.

Most of these attacks come from compromised Linux hosts, so if you use
pf(4), you could easily block access to ssh port from any Linux
machine, and then you're mostly covered. :) See
http://arkiv.openbsd.nu/?ml=openbsd-misc&a=0&m=1332409.

Cheers,
Constantine.
_______________________________________________
freebsd-security@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@xxxxxxxxxxx"



Relevant Pages

  • Re: SSH scans vs connection ratelimiting
    ... we're all seeing repeated bruteforce attempts on SSH. ... My theory was/is that this particular scanner simply multiplexes multiple authentication attempts over a single connection. ... I 'used the source luke' of OpenSSH to find support for this theory, but found the source a bit too wealthy for my brain to find such support. ...
    (FreeBSD-Security)
  • Re: ssh disconnecting
    ... SSH is as robust as TCP as far as comms are concerned, ... >> networking or in those cases where you don't have influence over network ... I've also run into the connection drop issue using Samba, ...
    (comp.unix.solaris)
  • SSH scans vs connection ratelimiting
    ... we're all seeing repeated bruteforce attempts on SSH. ... I've configured my pf install to ratelimit TCP connections to port 22 and to automatically add IP-addresses that connect too fast to a table that's filtered: ... My theory was/is that this particular scanner simply multiplexes multiple authentication attempts over a single connection. ...
    (FreeBSD-Security)
  • Re: port forwarding and secured connection
    ... > I can connect with ssh, when listening to port, it is unreadable. ... I assume by "listening to port" you mean snooping the TCP traffic carrying ... We already established that the C->D connection is not secured by SSH, ...
    (comp.security.ssh)
  • Re: Strange SSH Problem
    ... >>guys in charge for the firewall. ... Then when I connected from office toward home, a TCP ... > connection between both machines, ... > when I tried to make a ssh connection back from home to office, ...
    (comp.os.linux.networking)