Re: SSH scans vs connection ratelimiting

Constantine A. Murenin wrote:

So, my question is: Does anyone know how this particular attack works
and if there's a way to stop this? If my theory is sound and OpenSSH
does not have provisions to limit the authentication requests per TCP
session, I'd find that an inadequacy in OpenSSH, but I'm probably
missing something here :)

This is just one thread that I've found now, called "is there a way to
block sshd trolling?":
http://arkiv.openbsd.nu/?ml=openbsd-misc&a=0&t=1325006.

Most of these attacks come from compromised Linux hosts, so if you use
pf(4), you could easily block access to ssh port from any Linux
machine, and then you're mostly covered. :) See
http://arkiv.openbsd.nu/?ml=openbsd-misc&a=0&m=1332409.
I'm not so much searching for a solution to the 'problem', but rather want to know why ratelimiting apparantly doesn't work for some of the scans. I see IP addresses being blocked just fine by the pf rule due to scans, but also see some other scans still succeed. Ratelimiting is one of the few solutions I can agree with, and it should simply work.

Perhaps I should try running a tcpdump for a few days again to get a packet trace of such a 'succeeding' scan. Might show what's going on..

--
Pieter
_______________________________________________
freebsd-security@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@xxxxxxxxxxx"