brutal SSH attacks

Vadym Chepkov vchepkov at gmail.com
Wed Feb 9 20:55:51 UTC 2011 

On Feb 9, 2011, at 1:51 PM, Daniel Hartmeier wrote:

> On Tue, Feb 08, 2011 at 08:07:52PM -0500, Vadym Chepkov wrote:
> 
>> No idea, why it didn't stop after 9 attempts.
> 
> The connection rate is not calculated precisely, from pf.conf(5)
> 
>     max-src-conn-rate <number> / <seconds>
>           Limit the rate of new connections over a time interval.  The con-
>           nection rate is an approximation calculated as a moving average.
> 
> There is a counter, and a last-update-time.
> 
> When the first connection matches, the counter starts at zero, and the
> time (one second resolution) is noted.
> 
> Whenever a subsequent connection matches, the following happens:
> 
>  1) if the last-update-time is further back than <seconds> (60, in your
>     case), the counter is reset to zero.
>  2) otherwise, the counter is reduced relative to how much time has
>     passed since last-update-time (i.e. the counter is multiplied by
>     (now - last-update-time) / <seconds>
>  3) the counter is incremented by 1000
> 
> When the counter exceeds 1000 * <number> (9, in your case), the
> max-src-conn-rate is triggered.
> 
> This works reasonably well in many cases, but may be quite inprecise,
> especially when <number> is much smaller than <seconds>.
> 
> You could try max-src-conn-rate 2/5 instead.
> 

Wouldn't it be dangerous to reduce it this drastically? I can lock out myself.
I don't think it's uncommon to try to open 3 connections at the same time, especially in NAT environment.

I would increase "number", but it will negate the rule.
Here is an example of an actual intruder:

Feb  8 11:27:01 castor sshd[57304]: Invalid user ariane from 113.185.0.16
Feb  8 11:27:04 castor sshd[57306]: Invalid user armand from 113.185.0.16
Feb  8 11:27:08 castor sshd[57308]: Invalid user armande from 113.185.0.16
Feb  8 11:27:11 castor sshd[57310]: Invalid user armando from 113.185.0.16
Feb  8 11:27:15 castor sshd[57312]: Invalid user armani from 113.185.0.16
Feb  8 11:27:18 castor sshd[57314]: Invalid user arnie from 113.185.0.16
Feb  8 11:27:22 castor sshd[57316]: Invalid user arne from 113.185.0.16
Feb  8 11:27:25 castor sshd[57318]: Invalid user arnold from 113.185.0.16
Feb  8 11:27:29 castor sshd[57320]: Invalid user art from 113.185.0.16
Feb  8 11:27:33 castor sshd[57322]: Invalid user arthur from 113.185.0.16
Feb  8 11:27:36 castor sshd[57324]: Invalid user artie from 113.185.0.16
Feb  8 11:27:47 castor sshd[57326]: Invalid user arty from 113.185.0.16
Feb  8 11:27:50 castor sshd[57328]: Invalid user asha from 113.185.0.16
Feb  8 11:27:54 castor sshd[57330]: Invalid user asher from 113.185.0.16
Feb  8 11:27:57 castor sshd[57332]: Invalid user ashley from 113.185.0.16
Feb  8 11:28:01 castor sshd[57334]: Invalid user ashton from 113.185.0.16

That's 16 packets in 60 seconds.
2/5 wouldn't caught him either - 7 seconds between 3 packets

And I would be fine if just 3-4 packets exceeded the threshold, if it's not precise.
But it doesn't stop him at all, that what puzzles me

# bzgrep 113.185.0.16 /var/log/auth.log.0.bz2 | wc -l
     939

# pfctl -t abusive_hosts -T show 
   46.23.72.63
   69.162.99.220
   79.136.100.188
   93.174.31.134
   109.169.21.37
   188.127.244.107
   200.24.219.198
   221.133.41.170
   221.238.253.85
   222.186.37.205


some do caught, as you can see, but I still see every day those that avoid the trap

Thanks,

Vadym

> The details can be found in pf.c, see
> 
>  http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/contrib/pf/net/pf.c?rev=HEAD
> 
> The reason this was chosen over a more precise algorithm is that this is
> very cheap CPU-wise and requires only a minimal amount of memory.
> 
> Regards,
> Daniel

More information about the freebsd-pf mailing list