Date: Thu, 10 Feb 2011 08:52:58 +0100 From: Daniel Hartmeier <daniel@benzedrine.cx> To: Vadym Chepkov <vchepkov@gmail.com> Cc: freebsd-pf@freebsd.org Subject: Re: brutal SSH attacks Message-ID: <20110210075258.GB16942@insomnia.benzedrine.cx> In-Reply-To: <FB3E9540-742A-4783-9813-B7DBCD515C7E@gmail.com> References: <D04005BA-E154-4AE3-B14B-F9E6EF1269B0@gmail.com> <5A0B04327C334DA18745BFDBDBECE055@charlieroot.de> <A6E48F78-AC10-40DE-9345-86D14CC4D3A1@gmail.com> <98689EFE59404E4B838E79071AABA8B4@charlieroot.de> <56413CA2-EE4F-4E06-B044-0982E864E44D@gmail.com> <A141DF22-E35C-46BD-B88B-D68800812359@gmail.com> <20110209185118.GA16942@insomnia.benzedrine.cx> <FB3E9540-742A-4783-9813-B7DBCD515C7E@gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Feb 09, 2011 at 03:55:42PM -0500, Vadym Chepkov wrote: > Feb 8 11:27:01 castor sshd[57304]: Invalid user ariane from 113.185.0.16 count = 1000, last = 01 > Feb 8 11:27:04 castor sshd[57306]: Invalid user armand from 113.185.0.16 diff = 3, count -= 1000 * 3 / 60, += 1000, count = 1950, last = 04 > Feb 8 11:27:08 castor sshd[57308]: Invalid user armande from 113.185.0.16 diff = 4, count -= 1950 * 4 / 60, += 1000, count = 2820, last = 08 > Feb 8 11:27:11 castor sshd[57310]: Invalid user armando from 113.185.0.16 diff = 3, count -= 2820 * 3 / 60, += 1000, count = 3679, last = 11 > Feb 8 11:27:15 castor sshd[57312]: Invalid user armani from 113.185.0.16 diff = 4, count -= 3679 * 4 / 60, += 1000, count = 4434, last = 15 > Feb 8 11:27:18 castor sshd[57314]: Invalid user arnie from 113.185.0.16 diff = 3, count -= 4434 * 3 / 60, += 1000, count = 5213, last = 18 > Feb 8 11:27:22 castor sshd[57316]: Invalid user arne from 113.185.0.16 diff = 4, count -= 5213 * 4 / 60, += 1000, count = 5866, last = 22 > Feb 8 11:27:25 castor sshd[57318]: Invalid user arnold from 113.185.0.16 diff = 3, count -= 5866 * 3 / 60, += 1000, count = 6573, last = 25 > Feb 8 11:27:29 castor sshd[57320]: Invalid user art from 113.185.0.16 diff = 4, count -= 6573 * 4 / 60, += 1000, count = 7135, last = 29 > Feb 8 11:27:33 castor sshd[57322]: Invalid user arthur from 113.185.0.16 diff = 4, count -= 7135 * 4 / 60, += 1000, count = 7660, last = 33 > Feb 8 11:27:36 castor sshd[57324]: Invalid user artie from 113.185.0.16 diff = 3, count -= 7660 * 3 / 60, += 1000, count = 8277, last = 36 > Feb 8 11:27:47 castor sshd[57326]: Invalid user arty from 113.185.0.16 diff = 11, count -= 8277 * 11 / 60, += 1000, count = 7710, last = 47 (this 11 second pause is reducing the rate estimation significantly, if the scanner hadn't paused so long, it would have triggered) > Feb 8 11:27:50 castor sshd[57328]: Invalid user asha from 113.185.0.16 diff = 3, count -= 7710 * 3 / 60, += 1000, count = 8325, last = 50 > Feb 8 11:27:54 castor sshd[57330]: Invalid user asher from 113.185.0.16 diff = 4, count -= 8325 * 4 / 60, += 1000, count = 8770, last = 54 > Feb 8 11:27:57 castor sshd[57332]: Invalid user ashley from 113.185.0.16 diff = 3, count -= 8770 * 3 / 60, += 1000, count = 9332, last = 57 Now count is larger than your limit 9000, and the threshold is triggered, after 15 connections (the 16th is probably due to syslog not showing the precise timestamps). You can re-calculate the steps with 30 <seconds> (instead of 60), and see how it triggers... Daniel
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20110210075258.GB16942>