From owner-freebsd-security@FreeBSD.ORG  Sun Aug 20 12:50:16 2006
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
X-Original-To: freebsd-security@freebsd.org
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 7EDB116A4F4
	for <freebsd-security@freebsd.org>;
	Sun, 20 Aug 2006 12:50:16 +0000 (UTC)
	(envelope-from pieter@thedarkside.nl)
Received: from mail.thelostparadise.com (aberdeen.thelostparadise.com
	[193.202.115.174])
	by mx1.FreeBSD.org (Postfix) with ESMTP id CCF8343D5E
	for <freebsd-security@freebsd.org>;
	Sun, 20 Aug 2006 12:50:10 +0000 (GMT)
	(envelope-from pieter@thedarkside.nl)
Received: from [195.16.84.91] (ip-84-91.members.virt-ix.net [195.16.84.91])
	by mail.thelostparadise.com (Postfix) with ESMTP id F28A261C38
	for <freebsd-security@freebsd.org>;
	Sun, 20 Aug 2006 14:50:33 +0200 (CEST)
Message-ID: <44E85A80.3000608@thedarkside.nl>
Date: Sun, 20 Aug 2006 14:50:08 +0200
From: Pieter de Boer <pieter@thedarkside.nl>
User-Agent: Thunderbird 1.5.0.4 (X11/20060611)
MIME-Version: 1.0
To: freebsd-security@freebsd.org
References: <44E76B21.8000409@thedarkside.nl>
	<20060819142846.N45201@orthanc.ca>
In-Reply-To: <20060819142846.N45201@orthanc.ca>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Mailman-Approved-At: Sun, 20 Aug 2006 13:31:25 +0000
Subject: Re: SSH scans vs connection ratelimiting
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Security issues \[members-only posting\]"
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 20 Aug 2006 12:50:16 -0000

Lyndon Nerenberg wrote:
> Take a look at /usr/ports/security/bruteforceblocker.  It monitors the 
> system log for failed ssh logins, and blocks the sites via pf.  It's 
> reasonably configurable, and works very well.  I've been running it for 
> months without trouble.
I've written a similar script which worked okay for the most part. 
Probably not as fancy, but a la.

Point is, I'd prefer to:
1) Know why the attack still works although I'm ratelimiting to 3 
connections per minute and MaxAuthTries is set to 3 (but if it was still 
the default value 6, it should've triggered, too)
2) Fix it at the root cause, probably OpenSSH?


-- 
Pieter