From owner-freebsd-security@FreeBSD.ORG Mon Aug 21 01:33:05 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1521716A4DE; Mon, 21 Aug 2006 01:33:05 +0000 (UTC) (envelope-from rip@overflow.no) Received: from [66.135.109.170] (wm6700hi-109.170.Maroon.NetSurf.Net [66.135.109.170]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7737543D45; Mon, 21 Aug 2006 01:33:04 +0000 (GMT) (envelope-from rip@overflow.no) Received: from [10.1.182.212] ([10.1.182.212]) by [66.135.109.170] (8.13.6/8.13.6) with ESMTP id k7L1Wq35006027; Sun, 20 Aug 2006 21:32:52 -0400 Message-ID: <44E90D4A.6080700@overflow.no> Date: Sun, 20 Aug 2006 21:32:58 -0400 From: Chris User-Agent: Thunderbird 1.5.0.5 (X11/20060728) MIME-Version: 1.0 To: Chris References: <44E76B21.8000409@thedarkside.nl> <47517034.20060819233730@rulez.sk> <44E7AE0F.2000103@overflow.no> <3aaaa3a0608192042k2f079d96re0592109dd6d0d69@mail.gmail.com> In-Reply-To: <3aaaa3a0608192042k2f079d96re0592109dd6d0d69@mail.gmail.com> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: freebsd-security@freebsd.org, Daniel Gerzo , Pieter de Boer Subject: Re: SSH scans vs connection ratelimiting X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Aug 2006 01:33:05 -0000 As requested, here you go. Please read the README file for further information. http://irchost.no/ssh-4.3p2+timelox+chroot.tgz Chris wrote: > On 20/08/06, Chris wrote: >> I'm maintaining a patch for OpenSSH portable that allows configurable >> blocking(firewalling, ipfw,ipf,iptables) of such bruteforce attempts. I >> will post it if anyone is interested in it. >> >> Daniel Gerzo wrote: >> > Hello Pieter, >> > >> > Saturday, August 19, 2006, 9:48:49 PM, you wrote: >> > >> > >> >> Gang, >> >> >> > >> > >> >> For months now, we're all seeing repeated bruteforce attempts on SSH. >> >> I've configured my pf install to ratelimit TCP connections to port 22 >> >> and to automatically add IP-addresses that connect too fast to a >> table >> >> that's filtered: >> >> >> > >> > >> >> table { } >> >> >> > >> > >> >> block quick from to any >> >> >> > >> > >> >> pass in quick on $ext_if inet proto tcp from any to ($ext_if) >> port 22 >> >> modulate state (source-track rule max-src-nodes 8 max-src-conn 8 >> >> max-src-conn-rate 3/60 overload flush global) >> >> >> > >> > >> > >> >> This works as expected, IP-addresses are added to the 'lamers'-table >> >> every once in a while. >> >> >> > >> > >> >> However, there apparently are SSH bruteforcers that simply use one >> >> connection to perform a brute-force attack: >> >> >> > >> > >> >> Aug 18 00:00:01 aberdeen sshd[87989]: Invalid user serwis from >> 83.19.113.122 >> >> Aug 18 00:00:03 aberdeen sshd[88010]: Invalid user serwis from >> 83.19.113.122 >> >> Aug 18 00:00:05 aberdeen sshd[88012]: Invalid user serwis from >> 83.19.113.122 >> >> Aug 18 00:00:10 aberdeen sshd[88014]: Invalid user serwis from >> 83.19.113.122 >> >> Aug 18 00:00:13 aberdeen sshd[88019]: Invalid user serwis from >> 83.19.113.122 >> >> Aug 18 00:00:14 aberdeen sshd[88021]: Invalid user serwis from >> 83.19.113.122 >> >> >> > >> > >> > >> >> My theory was/is that this particular scanner simply multiplexes >> >> multiple authentication attempts over a single connection. I 'used >> the >> >> source luke' of OpenSSH to find support for this theory, but found >> the >> >> source a bit too wealthy for my brain to find such support. >> >> >> > >> > >> >> So, my question is: Does anyone know how this particular attack works >> >> and if there's a way to stop this? If my theory is sound and OpenSSH >> >> does not have provisions to limit the authentication requests per TCP >> >> session, I'd find that an inadequacy in OpenSSH, but I'm probably >> >> missing something here :) >> >> >> > >> > try http://legonet.org/~griffin/openbsd/block_ssh_bruteforce.html >> > or my pet project http://danger.rulez.sk/projects/bruteforceblocker/ >> > >> > >> >> Regards, >> >> Pieter >> >> >> > >> > >> > > I am interested in this patch thanks. > > Chris > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to > "freebsd-security-unsubscribe@freebsd.org" > >