From owner-freebsd-security@FreeBSD.ORG Sun Aug 20 16:35:07 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1D77816A4DE for ; Sun, 20 Aug 2006 16:35:07 +0000 (UTC) (envelope-from mureninc@gmail.com) Received: from wx-out-0506.google.com (wx-out-0506.google.com [66.249.82.232]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7BDE943D53 for ; Sun, 20 Aug 2006 16:35:06 +0000 (GMT) (envelope-from mureninc@gmail.com) Received: by wx-out-0506.google.com with SMTP id i27so1253638wxd for ; Sun, 20 Aug 2006 09:35:05 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=XO4oUQB4SuE3SWePlwYf7izJVR0YNjQ/u6AmR46BTjOMMvFhUGrY1ipuA+VliMlfvxpJiFixbnqoT0rTEqEJNk1PLeoSNviWeoAbG5qGRGucmLG/V96KKQye5bZdwmg4PnvAdu1snVO4cJsarw838fu0V5yQy+S4OKl5BDdRJIo= Received: by 10.70.18.11 with SMTP id 11mr8181960wxr; Sun, 20 Aug 2006 09:35:05 -0700 (PDT) Received: by 10.70.78.17 with HTTP; Sun, 20 Aug 2006 09:35:05 -0700 (PDT) Message-ID: Date: Sun, 20 Aug 2006 12:35:05 -0400 From: "Constantine A. Murenin" To: "Pieter de Boer" In-Reply-To: <44E76B21.8000409@thedarkside.nl> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <44E76B21.8000409@thedarkside.nl> Cc: freebsd-security@freebsd.org Subject: Re: SSH scans vs connection ratelimiting X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 20 Aug 2006 16:35:07 -0000 On 19/08/06, Pieter de Boer wrote: > Gang, > > For months now, we're all seeing repeated bruteforce attempts on SSH. > I've configured my pf install to ratelimit TCP connections to port 22 > and to automatically add IP-addresses that connect too fast to a table > that's filtered: > > table { } > > block quick from to any > > pass in quick on $ext_if inet proto tcp from any to ($ext_if) port 22 > modulate state (source-track rule max-src-nodes 8 max-src-conn 8 > max-src-conn-rate 3/60 overload flush global) > > > This works as expected, IP-addresses are added to the 'lamers'-table > every once in a while. > > However, there apparently are SSH bruteforcers that simply use one > connection to perform a brute-force attack: > > Aug 18 00:00:01 aberdeen sshd[87989]: Invalid user serwis from 83.19.113.122 > Aug 18 00:00:03 aberdeen sshd[88010]: Invalid user serwis from 83.19.113.122 > Aug 18 00:00:05 aberdeen sshd[88012]: Invalid user serwis from 83.19.113.122 > Aug 18 00:00:10 aberdeen sshd[88014]: Invalid user serwis from 83.19.113.122 > Aug 18 00:00:13 aberdeen sshd[88019]: Invalid user serwis from 83.19.113.122 > Aug 18 00:00:14 aberdeen sshd[88021]: Invalid user serwis from 83.19.113.122 > > > My theory was/is that this particular scanner simply multiplexes > multiple authentication attempts over a single connection. I 'used the > source luke' of OpenSSH to find support for this theory, but found the > source a bit too wealthy for my brain to find such support. > > So, my question is: Does anyone know how this particular attack works > and if there's a way to stop this? If my theory is sound and OpenSSH > does not have provisions to limit the authentication requests per TCP > session, I'd find that an inadequacy in OpenSSH, but I'm probably > missing something here :) There were tons of discussions on this topic on misc@OpenBSD mailing list, so you can try searching the archives for some more ideas. This is just one thread that I've found now, called "is there a way to block sshd trolling?": http://arkiv.openbsd.nu/?ml=openbsd-misc&a=0&t=1325006. Most of these attacks come from compromised Linux hosts, so if you use pf(4), you could easily block access to ssh port from any Linux machine, and then you're mostly covered. :) See http://arkiv.openbsd.nu/?ml=openbsd-misc&a=0&m=1332409. Cheers, Constantine.