Constantine A. Murenin wrote:
So, my question is: Does anyone know how this particular attack works
and if there's a way to stop this? If my theory is sound and OpenSSH
does not have provisions to limit the authentication requests per TCP
session, I'd find that an inadequacy in OpenSSH, but I'm probably
missing something here :)
This is just one thread that I've found now, called "is there a way to
block sshd trolling?":
http://arkiv.openbsd.nu/?ml=openbsd-misc&a=0&t=1325006.
Most of these attacks come from compromised Linux hosts, so if you use
pf(4), you could easily block access to ssh port from any Linux
machine, and then you're mostly covered. :) See
http://arkiv.openbsd.nu/?ml=openbsd-misc&a=0&m=1332409.
I'm not so much searching for a solution to the 'problem', but rather
want to know why ratelimiting apparantly doesn't work for some of the
scans. I see IP addresses being blocked just fine by the pf rule due to
scans, but also see some other scans still succeed. Ratelimiting is
one of the few solutions I can agree with, and it should simply work.
Perhaps I should try running a tcpdump for a few days again to get a
packet trace of such a 'succeeding' scan. Might show what's going on..
--
Pieter
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
