From owner-freebsd-security@FreeBSD.ORG Sat Aug 19 21:29:41 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A775716A4E1 for ; Sat, 19 Aug 2006 21:29:41 +0000 (UTC) (envelope-from swhetzel@gmail.com) Received: from nf-out-0910.google.com (nf-out-0910.google.com [64.233.182.189]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1544E43D55 for ; Sat, 19 Aug 2006 21:29:39 +0000 (GMT) (envelope-from swhetzel@gmail.com) Received: by nf-out-0910.google.com with SMTP id n29so1771863nfc for ; Sat, 19 Aug 2006 14:29:38 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=WN/a4ysM6slLFc2Pj/2hwpEDEdIJveoA4Jy95r0pg/OcXijAIFYwmF8SltDcUA5AyYqwLI5iASwW2QVmSC4QSesAXFdj85vYnbClpOZdxKKvynIJX4iJtt78SkYREjO2Hztb9DMJeTaKTAjlwQnEf5xLcjchnyCHTOGvGkcngiw= Received: by 10.49.29.3 with SMTP id g3mr5705224nfj; Sat, 19 Aug 2006 14:29:38 -0700 (PDT) Received: by 10.78.83.2 with HTTP; Sat, 19 Aug 2006 14:29:38 -0700 (PDT) Message-ID: <790a9fff0608191429p180c20celc7b9ebae811097cd@mail.gmail.com> Date: Sat, 19 Aug 2006 16:29:38 -0500 From: "Scot Hetzel" To: "Pieter de Boer" In-Reply-To: <44E76B21.8000409@thedarkside.nl> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <44E76B21.8000409@thedarkside.nl> Cc: freebsd-security@freebsd.org Subject: Re: SSH scans vs connection ratelimiting X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 19 Aug 2006 21:29:41 -0000 On 8/19/06, Pieter de Boer wrote: > This works as expected, IP-addresses are added to the 'lamers'-table > every once in a while. > > However, there apparently are SSH bruteforcers that simply use one > connection to perform a brute-force attack: > > Aug 18 00:00:01 aberdeen sshd[87989]: Invalid user serwis from 83.19.113.122 > Aug 18 00:00:03 aberdeen sshd[88010]: Invalid user serwis from 83.19.113.122 > Aug 18 00:00:05 aberdeen sshd[88012]: Invalid user serwis from 83.19.113.122 > Aug 18 00:00:10 aberdeen sshd[88014]: Invalid user serwis from 83.19.113.122 > Aug 18 00:00:13 aberdeen sshd[88019]: Invalid user serwis from 83.19.113.122 > Aug 18 00:00:14 aberdeen sshd[88021]: Invalid user serwis from 83.19.113.122 > > It looks as though you need to lower 'MaxAuthTries' in your sshd_config file, as the default is set to allow six authentication attempts per connection. You'll find this in the sshd_config(5) man page. Scot -- DISCLAIMER: No electrons were mamed while sending this message. Only slightly bruised.