Re: Limit login attempt rate

"bmearns" <mearns.b@xxxxxxxxx> wrote in message
news:103d250f-85a7-4240-aa96-81c1a8f2a85d@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
I'm running an sshd on Fedora 8, and have recently been getting
swamped with people trying to log in (i.e., break in). It's configured
to only allow three authentication attempts per connection, but they
just keep reconnecting: probably some script kiddies with port
sniffers and password testers. Is there a way to configure it so that
there's a timeout after failed attempts? For example, if a particular
address tries and fails three times to authenticate, that address is
blocked for three hours, or something similar?

Firewall rules are usually the most effective. Consider this:

1) If your access is ONLY from static addresses, then restrict access to
only those addresses.
2) If your access is dynamic but always through the same provider (e.g.
residential DSL, cable modem, etc.), ask your provider for the DHCP ranges
that they will assign - and restrict access to those ranges.
3) If you must open access to the rest of the world (usually due to
travel), consider banning addresses from parts of the world you never travel
to.
a) Ban all IPv4 ranges assigned to the 4 RIRs other than the one that
covers where (your users and) you live.
b) Use limiting and connection limiting to rate limit connection
attempts. With iptables:
... -j ACCEPT -s [your-usual-IP-or-range]
... -j REJECT -s [foreign-IP-ranges] --reject-with
icmp-net-prohibited
...
... -j ACCEPT -m state --state ESTABLISHED,RELATED
... -j REJECT -m connlimit --connlimit-above 1 --connlimit-mask 24
... -j ACCEPT -m limit --limit 1/minute --limit-burst 1
... -j REJECT
or if you really want to be obnoxious, instead of the last reject, use:
... -j REJECT -m limit --limit 1/hour --limit-burst 1
... -j TARPIT

Limit and connlimit are in the Linux kernel but need to be enabled (disabled
by default). The TARPIT target is in netfilter.org's patch-o-matic-ng code
addition. I wish tarpit were made part of the standard kernel....

What does that do?
- Those already connected continue.
- Those seeking a connection can do so ONLY if there is at most one other
(TCP) connection of ANY type from the same class-C subnet, may seek a new
connection only once per minute, and if they exceed that, they get an ICMP
rejection. Should the "obnoxious option" be chosen, they get their
rejection, and if they try again within the same minute, they get tarpitted.
Note that the tarpit may count as a connection - it's not necessarily exempt
from the connection tracking code.
- Those who successfully connect then get to try to enter a password
(default is 3 attempts per connection, but in sshd_config, that can be
changed). Legitimate users will usually enter a correct password on the
first or second try, so they should be unaffected. Others will usually
exceed the limits and be locked out or tarpitted by the limits.

I put my ssh specific firewall rules into their own ruleset list. That
makes it convenient to check just those rules for snooping from banned areas
of the world. I also log all attempts that make it to the accept line with
limits. Do not log the accept state=established, else EVERY ssh packet will
be recorded.

Some people suggest using a port other than 22 for ssh. I'll leave that for
others to discuss. However, if you do this, let anyone that tries port 22
to get a rejection a couple of times before tarpitting them.

In the past 15 hours via IPv4, I got 11 attempts from other regions, plus 2
IPs in my region that tried. One tried 5 times, and he got 3 packets that
were accepted (and therefore got a password prompt), the 4th was rejected,
and the 5th would have been tarpitted if I had that enabled, whereby the
hacker gave up. I see no hack attempts via IPv6.


.

Relevant Pages

  • Re: tarpit
    ... Suppose I'm a spammer. ... in the absence of TARPIT. ... trapped into a TARPIT, I only sent X mails in D+1 minutes, because for D ... Attempts to close the connection are ...
    (comp.os.linux.security)
  • Re: email address probes
    ... > If the connections come fast and furious from the same remote server ... state for each hold connection must be stored somewhere in memory. ... There is a very fine teergrubing (from the German word for tarpit: ... Are there any ready to use teergrubes available? ...
    (Incidents)
  • Re: Broadband Question
    ... BT Wholesale (the ... up so the simple solution is to set the limits to exclude anyone with even ... Now BT have installed kit in the exchange to make the connection rate ... line conditions for a single customer. ...
    (uk.local.kent)
  • UNLIMITED was Re: A Technical Question
    ... a "fair use" policy which, guess what, limits the connection in some ... Mine drops the max connection speed to 256K if I download more than 60Gb ... when advertising an 8Mb connection the ISPs have to put in a ... It's especially galling on hideously expensive mobile services with a 3GB ...
    (uk.legal)
  • Re: Spam Assassin Reject
    ... > 1) SpamAssassin cannot detect spam until it has received and analyzed ... so rejecting on connection is not possible. ... Using exim and sa-exim glue, with spamassassin, this is what ... The sender gets a 5xx rejection with the message: ...
    (freebsd-questions)
Loading