From owner-freebsd-security@FreeBSD.ORG Sat Aug 19 21:37:51 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3349F16A4DF for ; Sat, 19 Aug 2006 21:37:51 +0000 (UTC) (envelope-from danger@FreeBSD.org) Received: from virtual.micronet.sk (smtp.micronet.sk [84.16.32.237]) by mx1.FreeBSD.org (Postfix) with ESMTP id 45F8B43D6E for ; Sat, 19 Aug 2006 21:37:42 +0000 (GMT) (envelope-from danger@FreeBSD.org) Received: from localhost (localhost [127.0.0.1]) by virtual.micronet.sk (Postfix) with ESMTP id 9F24410E65B; Sat, 19 Aug 2006 23:37:34 +0200 (CEST) X-Virus-Scanned: by amavisd-new at virtual.micronet.sk Received: from virtual.micronet.sk ([127.0.0.1]) by localhost (virtual.micronet.sk [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id epd2AV8QDvc9; Sat, 19 Aug 2006 23:37:33 +0200 (CEST) Received: from danger.mcrn.sk (danger.mcrn.sk [84.16.37.254]) by virtual.micronet.sk (Postfix) with ESMTP id 0486210E610; Sat, 19 Aug 2006 23:37:33 +0200 (CEST) Date: Sat, 19 Aug 2006 23:37:30 +0200 From: Daniel Gerzo Organization: The FreeBSD Project X-Priority: 3 (Normal) Message-ID: <47517034.20060819233730@rulez.sk> To: Pieter de Boer In-Reply-To: <44E76B21.8000409@thedarkside.nl> References: <44E76B21.8000409@thedarkside.nl> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Mailman-Approved-At: Sat, 19 Aug 2006 21:50:19 +0000 Cc: freebsd-security@freebsd.org Subject: Re: SSH scans vs connection ratelimiting X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Daniel Gerzo List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 19 Aug 2006 21:37:51 -0000 Hello Pieter, Saturday, August 19, 2006, 9:48:49 PM, you wrote: > Gang, > For months now, we're all seeing repeated bruteforce attempts on SSH. > I've configured my pf install to ratelimit TCP connections to port 22 > and to automatically add IP-addresses that connect too fast to a table > that's filtered: > table { } > block quick from to any > pass in quick on $ext_if inet proto tcp from any to ($ext_if) port 22 > modulate state (source-track rule max-src-nodes 8 max-src-conn 8 > max-src-conn-rate 3/60 overload flush global) > This works as expected, IP-addresses are added to the 'lamers'-table > every once in a while. > However, there apparently are SSH bruteforcers that simply use one > connection to perform a brute-force attack: > Aug 18 00:00:01 aberdeen sshd[87989]: Invalid user serwis from 83.19.113.122 > Aug 18 00:00:03 aberdeen sshd[88010]: Invalid user serwis from 83.19.113.122 > Aug 18 00:00:05 aberdeen sshd[88012]: Invalid user serwis from 83.19.113.122 > Aug 18 00:00:10 aberdeen sshd[88014]: Invalid user serwis from 83.19.113.122 > Aug 18 00:00:13 aberdeen sshd[88019]: Invalid user serwis from 83.19.113.122 > Aug 18 00:00:14 aberdeen sshd[88021]: Invalid user serwis from 83.19.113.122 > My theory was/is that this particular scanner simply multiplexes > multiple authentication attempts over a single connection. I 'used the > source luke' of OpenSSH to find support for this theory, but found the > source a bit too wealthy for my brain to find such support. > So, my question is: Does anyone know how this particular attack works > and if there's a way to stop this? If my theory is sound and OpenSSH > does not have provisions to limit the authentication requests per TCP > session, I'd find that an inadequacy in OpenSSH, but I'm probably > missing something here :) try http://legonet.org/~griffin/openbsd/block_ssh_bruteforce.html or my pet project http://danger.rulez.sk/projects/bruteforceblocker/ > Regards, > Pieter -- Best regards, Daniel mailto:danger@FreeBSD.org