brutal SSH attacks
Vadym Chepkov
vchepkov at gmail.com
Wed Feb 9 20:55:51 UTC 2011
On Feb 9, 2011, at 1:51 PM, Daniel Hartmeier wrote:
> On Tue, Feb 08, 2011 at 08:07:52PM -0500, Vadym Chepkov wrote:
>
>> No idea, why it didn't stop after 9 attempts.
>
> The connection rate is not calculated precisely, from pf.conf(5)
>
> max-src-conn-rate <number> / <seconds>
> Limit the rate of new connections over a time interval. The con-
> nection rate is an approximation calculated as a moving average.
>
> There is a counter, and a last-update-time.
>
> When the first connection matches, the counter starts at zero, and the
> time (one second resolution) is noted.
>
> Whenever a subsequent connection matches, the following happens:
>
> 1) if the last-update-time is further back than <seconds> (60, in your
> case), the counter is reset to zero.
> 2) otherwise, the counter is reduced relative to how much time has
> passed since last-update-time (i.e. the counter is multiplied by
> (now - last-update-time) / <seconds>
> 3) the counter is incremented by 1000
>
> When the counter exceeds 1000 * <number> (9, in your case), the
> max-src-conn-rate is triggered.
>
> This works reasonably well in many cases, but may be quite inprecise,
> especially when <number> is much smaller than <seconds>.
>
> You could try max-src-conn-rate 2/5 instead.
>
Wouldn't it be dangerous to reduce it this drastically? I can lock out myself.
I don't think it's uncommon to try to open 3 connections at the same time, especially in NAT environment.
I would increase "number", but it will negate the rule.
Here is an example of an actual intruder:
Feb 8 11:27:01 castor sshd[57304]: Invalid user ariane from 113.185.0.16
Feb 8 11:27:04 castor sshd[57306]: Invalid user armand from 113.185.0.16
Feb 8 11:27:08 castor sshd[57308]: Invalid user armande from 113.185.0.16
Feb 8 11:27:11 castor sshd[57310]: Invalid user armando from 113.185.0.16
Feb 8 11:27:15 castor sshd[57312]: Invalid user armani from 113.185.0.16
Feb 8 11:27:18 castor sshd[57314]: Invalid user arnie from 113.185.0.16
Feb 8 11:27:22 castor sshd[57316]: Invalid user arne from 113.185.0.16
Feb 8 11:27:25 castor sshd[57318]: Invalid user arnold from 113.185.0.16
Feb 8 11:27:29 castor sshd[57320]: Invalid user art from 113.185.0.16
Feb 8 11:27:33 castor sshd[57322]: Invalid user arthur from 113.185.0.16
Feb 8 11:27:36 castor sshd[57324]: Invalid user artie from 113.185.0.16
Feb 8 11:27:47 castor sshd[57326]: Invalid user arty from 113.185.0.16
Feb 8 11:27:50 castor sshd[57328]: Invalid user asha from 113.185.0.16
Feb 8 11:27:54 castor sshd[57330]: Invalid user asher from 113.185.0.16
Feb 8 11:27:57 castor sshd[57332]: Invalid user ashley from 113.185.0.16
Feb 8 11:28:01 castor sshd[57334]: Invalid user ashton from 113.185.0.16
That's 16 packets in 60 seconds.
2/5 wouldn't caught him either - 7 seconds between 3 packets
And I would be fine if just 3-4 packets exceeded the threshold, if it's not precise.
But it doesn't stop him at all, that what puzzles me
# bzgrep 113.185.0.16 /var/log/auth.log.0.bz2 | wc -l
939
# pfctl -t abusive_hosts -T show
46.23.72.63
69.162.99.220
79.136.100.188
93.174.31.134
109.169.21.37
188.127.244.107
200.24.219.198
221.133.41.170
221.238.253.85
222.186.37.205
some do caught, as you can see, but I still see every day those that avoid the trap
Thanks,
Vadym
> The details can be found in pf.c, see
>
> http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/contrib/pf/net/pf.c?rev=HEAD
>
> The reason this was chosen over a more precise algorithm is that this is
> very cheap CPU-wise and requires only a minimal amount of memory.
>
> Regards,
> Daniel
More information about the freebsd-pf
mailing list