From owner-freebsd-security@FreeBSD.ORG Sun Aug 20 16:59:38 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C245B16A4DA for ; Sun, 20 Aug 2006 16:59:38 +0000 (UTC) (envelope-from pieter@thedarkside.nl) Received: from mail.thelostparadise.com (aberdeen.thelostparadise.com [193.202.115.174]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5C6E243D4C for ; Sun, 20 Aug 2006 16:59:38 +0000 (GMT) (envelope-from pieter@thedarkside.nl) Received: from [195.16.84.91] (ip-84-91.members.virt-ix.net [195.16.84.91]) by mail.thelostparadise.com (Postfix) with ESMTP id A423361C39 for ; Sun, 20 Aug 2006 19:00:01 +0200 (CEST) Message-ID: <44E894F8.5090505@thedarkside.nl> Date: Sun, 20 Aug 2006 18:59:36 +0200 From: Pieter de Boer User-Agent: Thunderbird 1.5.0.4 (X11/20060611) MIME-Version: 1.0 To: freebsd-security@freebsd.org References: <44E76B21.8000409@thedarkside.nl> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: SSH scans vs connection ratelimiting X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 20 Aug 2006 16:59:38 -0000 Constantine A. Murenin wrote: >> So, my question is: Does anyone know how this particular attack works >> and if there's a way to stop this? If my theory is sound and OpenSSH >> does not have provisions to limit the authentication requests per TCP >> session, I'd find that an inadequacy in OpenSSH, but I'm probably >> missing something here :) > This is just one thread that I've found now, called "is there a way to > block sshd trolling?": > http://arkiv.openbsd.nu/?ml=openbsd-misc&a=0&t=1325006. > > Most of these attacks come from compromised Linux hosts, so if you use > pf(4), you could easily block access to ssh port from any Linux > machine, and then you're mostly covered. :) See > http://arkiv.openbsd.nu/?ml=openbsd-misc&a=0&m=1332409. I'm not so much searching for a solution to the 'problem', but rather want to know why ratelimiting apparantly doesn't work for some of the scans. I see IP addresses being blocked just fine by the pf rule due to scans, but also see some other scans still succeed. Ratelimiting is one of the few solutions I can agree with, and it should simply work. Perhaps I should try running a tcpdump for a few days again to get a packet trace of such a 'succeeding' scan. Might show what's going on.. -- Pieter