brutal SSH attacks

Daniel Hartmeier daniel at benzedrine.cx
Thu Feb 10 07:53:01 UTC 2011 

On Wed, Feb 09, 2011 at 03:55:42PM -0500, Vadym Chepkov wrote:

> Feb  8 11:27:01 castor sshd[57304]: Invalid user ariane from 113.185.0.16

count = 1000, last = 01

> Feb  8 11:27:04 castor sshd[57306]: Invalid user armand from 113.185.0.16

diff = 3, count -= 1000 * 3 / 60, += 1000, count = 1950, last = 04

> Feb  8 11:27:08 castor sshd[57308]: Invalid user armande from 113.185.0.16

diff = 4, count -= 1950 * 4 / 60, += 1000, count = 2820, last = 08

> Feb  8 11:27:11 castor sshd[57310]: Invalid user armando from 113.185.0.16

diff = 3, count -= 2820 * 3 / 60, += 1000, count = 3679, last = 11

> Feb  8 11:27:15 castor sshd[57312]: Invalid user armani from 113.185.0.16

diff = 4, count -= 3679 * 4 / 60, += 1000, count = 4434, last = 15

> Feb  8 11:27:18 castor sshd[57314]: Invalid user arnie from 113.185.0.16

diff = 3, count -= 4434 * 3 / 60, += 1000, count = 5213, last = 18

> Feb  8 11:27:22 castor sshd[57316]: Invalid user arne from 113.185.0.16

diff = 4, count -= 5213 * 4 / 60, += 1000, count = 5866, last = 22

> Feb  8 11:27:25 castor sshd[57318]: Invalid user arnold from 113.185.0.16

diff = 3, count -= 5866 * 3 / 60, += 1000, count = 6573, last = 25

> Feb  8 11:27:29 castor sshd[57320]: Invalid user art from 113.185.0.16

diff = 4, count -= 6573 * 4 / 60, += 1000, count = 7135, last = 29

> Feb  8 11:27:33 castor sshd[57322]: Invalid user arthur from 113.185.0.16

diff = 4, count -= 7135 * 4 / 60, += 1000, count = 7660, last = 33

> Feb  8 11:27:36 castor sshd[57324]: Invalid user artie from 113.185.0.16

diff = 3, count -= 7660 * 3 / 60, += 1000, count = 8277, last = 36

> Feb  8 11:27:47 castor sshd[57326]: Invalid user arty from 113.185.0.16

diff = 11, count -= 8277 * 11 / 60, += 1000, count = 7710, last = 47

(this 11 second pause is reducing the rate estimation significantly,
if the scanner hadn't paused so long, it would have triggered)

> Feb  8 11:27:50 castor sshd[57328]: Invalid user asha from 113.185.0.16

diff = 3, count -= 7710 * 3 / 60, += 1000, count = 8325, last = 50

> Feb  8 11:27:54 castor sshd[57330]: Invalid user asher from 113.185.0.16

diff = 4, count -= 8325 * 4 / 60, += 1000, count = 8770, last = 54

> Feb  8 11:27:57 castor sshd[57332]: Invalid user ashley from 113.185.0.16

diff = 3, count -= 8770 * 3 / 60, += 1000, count = 9332, last = 57

Now count is larger than your limit 9000, and the threshold is
triggered, after 15 connections (the 16th is probably due to syslog
not showing the precise timestamps).

You can re-calculate the steps with 30 <seconds> (instead of 60),
and see how it triggers...

Daniel

More information about the freebsd-pf mailing list