From owner-freebsd-security@FreeBSD.ORG Sat Aug 19 21:31:37 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EEC8116A4DF for ; Sat, 19 Aug 2006 21:31:37 +0000 (UTC) (envelope-from Joerg.Pulz@frm2.tum.de) Received: from mailhost.frm2.tum.de (mailhost.frm2.tum.de [129.187.179.12]) by mx1.FreeBSD.org (Postfix) with ESMTP id B329E43D73 for ; Sat, 19 Aug 2006 21:30:58 +0000 (GMT) (envelope-from Joerg.Pulz@frm2.tum.de) Received: from localhost (mailhost.frm2.tum.de [129.187.179.12]) by mailhost.frm2.tum.de (8.13.6/8.13.6) with ESMTP id k7JLUvOn014297; Sat, 19 Aug 2006 23:30:57 +0200 (CEST) (envelope-from jpulz@frm2.tum.de) X-Virus-Scanned: at mailhost.frm2.tum.de Received: from hades.admin.frm2 (hades.admin.frm2 [172.25.1.10]) by mailhost.frm2.tum.de (8.13.6/8.13.6) with ESMTP id k7JLUstG014293 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Sat, 19 Aug 2006 23:30:54 +0200 (CEST) (envelope-from jpulz@frm2.tum.de) Received: from hades.admin.frm2 (localhost [127.0.0.1]) by hades.admin.frm2 (8.13.6/8.13.6) with ESMTP id k7JLUr1G078507; Sat, 19 Aug 2006 23:30:53 +0200 (CEST) (envelope-from jpulz@frm2.tum.de) Received: (from jpulz@localhost) by hades.admin.frm2 (8.13.6/8.13.6/Submit) id k7JLUr5C078506; Sat, 19 Aug 2006 23:30:53 +0200 (CEST) (envelope-from jpulz) Date: Sat, 19 Aug 2006 23:30:50 +0200 (CEST) From: Joerg Pulz To: Pieter de Boer In-Reply-To: <44E76B21.8000409@thedarkside.nl> Message-ID: <20060819232810.N978@hades.admin.frm2> References: <44E76B21.8000409@thedarkside.nl> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-security@freebsd.org Subject: Re: SSH scans vs connection ratelimiting X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 19 Aug 2006 21:31:38 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sat, 19 Aug 2006, Pieter de Boer wrote: > Gang, > > For months now, we're all seeing repeated bruteforce attempts on SSH. I've > configured my pf install to ratelimit TCP connections to port 22 and to > automatically add IP-addresses that connect too fast to a table that's > filtered: > > table { } > > block quick from to any > > pass in quick on $ext_if inet proto tcp from any to ($ext_if) port 22 > modulate state (source-track rule max-src-nodes 8 max-src-conn 8 > max-src-conn-rate 3/60 overload flush global) > > > This works as expected, IP-addresses are added to the 'lamers'-table every > once in a while. > > However, there apparently are SSH bruteforcers that simply use one connection > to perform a brute-force attack: > > Aug 18 00:00:01 aberdeen sshd[87989]: Invalid user serwis from 83.19.113.122 > Aug 18 00:00:03 aberdeen sshd[88010]: Invalid user serwis from 83.19.113.122 > Aug 18 00:00:05 aberdeen sshd[88012]: Invalid user serwis from 83.19.113.122 > Aug 18 00:00:10 aberdeen sshd[88014]: Invalid user serwis from 83.19.113.122 > Aug 18 00:00:13 aberdeen sshd[88019]: Invalid user serwis from 83.19.113.122 > Aug 18 00:00:14 aberdeen sshd[88021]: Invalid user serwis from 83.19.113.122 > > > My theory was/is that this particular scanner simply multiplexes multiple > authentication attempts over a single connection. I 'used the source luke' of > OpenSSH to find support for this theory, but found the source a bit too > wealthy for my brain to find such support. > > So, my question is: Does anyone know how this particular attack works and if > there's a way to stop this? If my theory is sound and OpenSSH does not have > provisions to limit the authentication requests per TCP session, I'd find > that an inadequacy in OpenSSH, but I'm probably missing something here :) Isn't it the "MaxAuthTries" option for sshd which provides such functionality? Please look for "MaxAuthTries" in the sshd_config(5) manpage for details. regards Joerg - -- The beginning is the most important part of the work. -Plato -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (FreeBSD) iD8DBQFE54MNSPOsGF+KA+MRAh0GAJ45v4C9+xJ5vy+4BPltXwBxpKzzIwCePWa8 o/XSdoB2tFdMXQv1Yo1rwFU= =dHjL -----END PGP SIGNATURE-----