[Techtalk] 216 ssh login attempts, what to do?

Dominik Schramm dominik.schramm at gmxpro.net
Wed Oct 13 22:05:18 EST 2004 

Hi,

I must have missed the start of this thread, that's why I'm 
replying to aec via David's message...

David Sumbler <david at aeolia.co.uk> writes:

> On Tue, 12 Oct 2004, aec wrote:
>
>> ...here is what I am thinking...
>>
>> If the anyone has X number of failed attempts then ip block them.

> But the OP's idea of blocking any log-in attempts from an IP with,
> say, three failed attempts in a short space of time seems an excellent
> one, yet nobody has addressed this.

AFAIK, this is what an intrusion detection system is there for (among 
other things). 
One IDS comes to my mind: snort, but I think this is a mere pattern
based IDS.

But, I'm starting to think that ...

> Is it really not possible to do what she suggested?  (And if it isn't,
> then it should be!)

...maybe netfilter can be used to do this. 

I'm thinking of something like this (sorry, I'm not good at drawing
things schematically):

Repeated connection attempt
---------------------------

packet level                   application level


Packet arrives --> port 22, TCP flags syn + !ack --> ACCEPT

                 SSH tries to authent. with PAM (PAM grants one try)
                 
........      <-->          ........
  (!syn + ack) or (!syn + !ack)

                 Passwort wrong --> SSHd connection ends

...seconds later...
Packet arrives --> port 22, TCP flags syn + !ack --> DROP


Legitimate connection attempt
-----------------------------

Packet arrives --> port 22, TCP flags syn + !ack --> ACCEPT
  
                 SSH tries to authent. with PAM (PAM grants one try)

........      <-->          ........
  (!syn + ack) or (!syn + !ack)

                 Password correct --> SSHd connection established

........      <-->          ........
  (!syn + ack) or (!syn + !ack)


The difference between these two situations is that in the first
case there are two attempts at establishing a TCP connection (i.e.:
syn bit set, ack bit cleared; if memory serves!) within seconds,
because SShd terminates the connection after the wrong password was
given.

In the second case, there is one attempt at establishing a TCP 
connection; SSHd continues the connection and all the following
packets have syn bit cleared and ack bit mostly set (except in 
case of lost packets).

I haven't tried this (I might, later :-) ), but the recent patch
for netfilter seems to fit in here.
See 
http://tinyurl.com/57teb
(http://www.netfilter.org/documentation/HOWTO//netfilter-extensions-HOWTO-3.html#ss3.16)

or see
http://tinyurl.com/5rvdm
(http://www.netfilter.org/documentation/HOWTO//netfilter-extensions-HOWTO.html)

for a list of netfilter extensions which seem to do pretty much 
anything. 

What do you all think? Would this work?

Have a nice evening, I'm off to the pub...

dominik

More information about the Techtalk mailing list