[Techtalk] 216 ssh login attempts, what to do?

Dominik Schramm dominik.schramm at gmxpro.net
Wed Oct 13 22:05:18 EST 2004


I must have missed the start of this thread, that's why I'm 
replying to aec via David's message...

David Sumbler <david at aeolia.co.uk> writes:

> On Tue, 12 Oct 2004, aec wrote:
>> ...here is what I am thinking...
>> If the anyone has X number of failed attempts then ip block them.

> But the OP's idea of blocking any log-in attempts from an IP with,
> say, three failed attempts in a short space of time seems an excellent
> one, yet nobody has addressed this.

AFAIK, this is what an intrusion detection system is there for (among 
other things). 
One IDS comes to my mind: snort, but I think this is a mere pattern
based IDS.

But, I'm starting to think that ...

> Is it really not possible to do what she suggested?  (And if it isn't,
> then it should be!)

...maybe netfilter can be used to do this. 

I'm thinking of something like this (sorry, I'm not good at drawing
things schematically):

Repeated connection attempt

packet level                   application level

Packet arrives --> port 22, TCP flags syn + !ack --> ACCEPT

                 SSH tries to authent. with PAM (PAM grants one try)
........      <-->          ........
  (!syn + ack) or (!syn + !ack)

                 Passwort wrong --> SSHd connection ends

...seconds later...
Packet arrives --> port 22, TCP flags syn + !ack --> DROP

Legitimate connection attempt

Packet arrives --> port 22, TCP flags syn + !ack --> ACCEPT
                 SSH tries to authent. with PAM (PAM grants one try)

........      <-->          ........
  (!syn + ack) or (!syn + !ack)

                 Password correct --> SSHd connection established

........      <-->          ........
  (!syn + ack) or (!syn + !ack)

The difference between these two situations is that in the first
case there are two attempts at establishing a TCP connection (i.e.:
syn bit set, ack bit cleared; if memory serves!) within seconds,
because SShd terminates the connection after the wrong password was

In the second case, there is one attempt at establishing a TCP 
connection; SSHd continues the connection and all the following
packets have syn bit cleared and ack bit mostly set (except in 
case of lost packets).

I haven't tried this (I might, later :-) ), but the recent patch
for netfilter seems to fit in here.

or see

for a list of netfilter extensions which seem to do pretty much 

What do you all think? Would this work?

Have a nice evening, I'm off to the pub...


More information about the Techtalk mailing list