Re: SSH scans vs connection ratelimiting
On 20/08/06, Chris <rip@overflow.no> wrote:
> I'm maintaining a patch for OpenSSH portable that allows configurable
> blocking(firewalling, ipfw,ipf,iptables) of such bruteforce attempts. I
> will post it if anyone is interested in it.
>
> Daniel Gerzo wrote:
> > Hello Pieter,
> >
> > Saturday, August 19, 2006, 9:48:49 PM, you wrote:
> >
> >
> >> Gang,
> >>
> >
> >
> >> For months now, we're all seeing repeated bruteforce attempts on SSH.
> >> I've configured my pf install to ratelimit TCP connections to port 22
> >> and to automatically add IP-addresses that connect too fast to a table
> >> that's filtered:
> >>
> >
> >
> >> table <lamers> { }
> >>
> >
> >
> >> block quick from <lamers> to any
> >>
> >
> >
> >> pass in quick on $ext_if inet proto tcp from any to ($ext_if) port 22
> >> modulate state (source-track rule max-src-nodes 8 max-src-conn 8
> >> max-src-conn-rate 3/60 overload <lamers> flush global)
> >>
> >
> >
> >
> >> This works as expected, IP-addresses are added to the 'lamers'-table
> >> every once in a while.
> >>
> >
> >
> >> However, there apparently are SSH bruteforcers that simply use one
> >> connection to perform a brute-force attack:
> >>
> >
> >
> >> Aug 18 00:00:01 aberdeen sshd[87989]: Invalid user serwis from 83.19.113.122
> >> Aug 18 00:00:03 aberdeen sshd[88010]: Invalid user serwis from 83.19.113.122
> >> Aug 18 00:00:05 aberdeen sshd[88012]: Invalid user serwis from 83.19.113.122
> >> Aug 18 00:00:10 aberdeen sshd[88014]: Invalid user serwis from 83.19.113.122
> >> Aug 18 00:00:13 aberdeen sshd[88019]: Invalid user serwis from 83.19.113.122
> >> Aug 18 00:00:14 aberdeen sshd[88021]: Invalid user serwis from 83.19.113.122
> >>
> >
> >
> >
> >> My theory was/is that this particular scanner simply multiplexes
> >> multiple authentication attempts over a single connection. I 'used the
> >> source luke' of OpenSSH to find support for this theory, but found the
> >> source a bit too wealthy for my brain to find such support.
> >>
> >
> >
> >> So, my question is: Does anyone know how this particular attack works
> >> and if there's a way to stop this? If my theory is sound and OpenSSH
> >> does not have provisions to limit the authentication requests per TCP
> >> session, I'd find that an inadequacy in OpenSSH, but I'm probably
> >> missing something here :)
> >>
> >
> > try http://legonet.org/~griffin/openbsd/block_ssh_bruteforce.html
> > or my pet project http://danger.rulez.sk/projects/bruteforceblocker/
> >
> >
> >> Regards,
> >> Pieter
> >>
> >
> >
>
I am interested in this patch thanks.
Chris
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
討論串 (同標題文章)
完整討論串 (本文為第 7 之 16 篇):