From owner-freebsd-security@FreeBSD.ORG Sun Aug 20 03:42:20 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6A27416A4DF for ; Sun, 20 Aug 2006 03:42:20 +0000 (UTC) (envelope-from chrcoluk@gmail.com) Received: from py-out-1112.google.com (py-out-1112.google.com [64.233.166.182]) by mx1.FreeBSD.org (Postfix) with ESMTP id A8D4043D55 for ; Sun, 20 Aug 2006 03:42:19 +0000 (GMT) (envelope-from chrcoluk@gmail.com) Received: by py-out-1112.google.com with SMTP id o67so1808851pye for ; Sat, 19 Aug 2006 20:42:19 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=QvB8KPNA2RRhQeERIQubwZZZvMRmdiqcRBbVsdfKXnrsqpjTUVlF/wEluR99aWp8TiBcQY8D1Pxl8kOaXlT3DJFDdbDIQ+MofBUnbWIussOPJJQPwIozobT3P/jKNKYXYoZeQ9nUvFBTXikCF24d+tlcvMMDIqYPROKHcY8Whug= Received: by 10.35.41.14 with SMTP id t14mr9801603pyj; Sat, 19 Aug 2006 20:42:18 -0700 (PDT) Received: by 10.35.29.20 with HTTP; Sat, 19 Aug 2006 20:42:17 -0700 (PDT) Message-ID: <3aaaa3a0608192042k2f079d96re0592109dd6d0d69@mail.gmail.com> Date: Sun, 20 Aug 2006 04:42:17 +0100 From: Chris To: Chris In-Reply-To: <44E7AE0F.2000103@overflow.no> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <44E76B21.8000409@thedarkside.nl> <47517034.20060819233730@rulez.sk> <44E7AE0F.2000103@overflow.no> Cc: freebsd-security@freebsd.org, Daniel Gerzo , Pieter de Boer Subject: Re: SSH scans vs connection ratelimiting X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 20 Aug 2006 03:42:20 -0000 On 20/08/06, Chris wrote: > I'm maintaining a patch for OpenSSH portable that allows configurable > blocking(firewalling, ipfw,ipf,iptables) of such bruteforce attempts. I > will post it if anyone is interested in it. > > Daniel Gerzo wrote: > > Hello Pieter, > > > > Saturday, August 19, 2006, 9:48:49 PM, you wrote: > > > > > >> Gang, > >> > > > > > >> For months now, we're all seeing repeated bruteforce attempts on SSH. > >> I've configured my pf install to ratelimit TCP connections to port 22 > >> and to automatically add IP-addresses that connect too fast to a table > >> that's filtered: > >> > > > > > >> table { } > >> > > > > > >> block quick from to any > >> > > > > > >> pass in quick on $ext_if inet proto tcp from any to ($ext_if) port 22 > >> modulate state (source-track rule max-src-nodes 8 max-src-conn 8 > >> max-src-conn-rate 3/60 overload flush global) > >> > > > > > > > >> This works as expected, IP-addresses are added to the 'lamers'-table > >> every once in a while. > >> > > > > > >> However, there apparently are SSH bruteforcers that simply use one > >> connection to perform a brute-force attack: > >> > > > > > >> Aug 18 00:00:01 aberdeen sshd[87989]: Invalid user serwis from 83.19.113.122 > >> Aug 18 00:00:03 aberdeen sshd[88010]: Invalid user serwis from 83.19.113.122 > >> Aug 18 00:00:05 aberdeen sshd[88012]: Invalid user serwis from 83.19.113.122 > >> Aug 18 00:00:10 aberdeen sshd[88014]: Invalid user serwis from 83.19.113.122 > >> Aug 18 00:00:13 aberdeen sshd[88019]: Invalid user serwis from 83.19.113.122 > >> Aug 18 00:00:14 aberdeen sshd[88021]: Invalid user serwis from 83.19.113.122 > >> > > > > > > > >> My theory was/is that this particular scanner simply multiplexes > >> multiple authentication attempts over a single connection. I 'used the > >> source luke' of OpenSSH to find support for this theory, but found the > >> source a bit too wealthy for my brain to find such support. > >> > > > > > >> So, my question is: Does anyone know how this particular attack works > >> and if there's a way to stop this? If my theory is sound and OpenSSH > >> does not have provisions to limit the authentication requests per TCP > >> session, I'd find that an inadequacy in OpenSSH, but I'm probably > >> missing something here :) > >> > > > > try http://legonet.org/~griffin/openbsd/block_ssh_bruteforce.html > > or my pet project http://danger.rulez.sk/projects/bruteforceblocker/ > > > > > >> Regards, > >> Pieter > >> > > > > > I am interested in this patch thanks. Chris