Re: [OT] SSH throttle - security

To: port-macppc%NetBSD.org@localhost
Subject: Re: [OT] SSH throttle - security
From: der Mouse <mouse%Rodents-Montreal.ORG@localhost>
Date: Mon, 26 Jan 2009 16:47:34 -0500 (EST)

> I have an ssh annoyance - my logs are FULL of cracking attempts.
> This is an externally visible server, so I can't simply shut off
> access.  They are trying lots of random accounts, and I'm not worried
> that they'll get in, but it's a pain, both because it generates huge
> logfiles, and also because it burns non-trivial CPU.

> Does anyone know of an option/method to "throttle" incoming SSH
> requests[?]

Well, I know what I did.  I don't know how close to useful it might be
for you.

I have something watching my log file (currently checking once a
minute, which is basically OK for my purposes); when it sees logfile
spoor it doesn't like, it runs a script with the offending IP address.
There are two scripts I use.  One is used for machines entirely behind
my house router; those just tell my house router to block the offending
IP (a block which expires 24 hours after the last traffic from that IP
is seen).  Another is used on a machines which exist outside that
router (one of which exists inside as well); this one does a "route add
-host $ip 127.0.0.1 -reject", which, while it does not strictly prevent
the machine from talking to me, does prevent me from talking back to
it, and thus prevents further TCP connections from coming up, which
keeps the ssh daemon from noticing anything.  It then does "(sleep
86400; route delete host $ip) &" to take the block down a day later.

> I would be more than happy to limit said requests to one every N
> seonds, where N is in the range of 5-10 (or more?)

My approach needs a more aggressive watching of the logfile to do that.
Make the watcher check every second and change the 86400 to more like
10 and you have something much closer to what you want.  If your have a
way to get log lines sent directly to a program, that could help by
avoiding the check-interval delay.

Of course, ideally, the detection part would be driven by your ssh
daemon itself, rather than by something watching for log lines it
produces.  But this is even more implementation-dependent than watching
the logs; you haven't quite said so explicitly, but your reluctance to
"write proxy software" implies you're probably also reluctant to hack
on your ssh daemon.

/~\ The ASCII                             Mouse
\ / Ribbon Campaign
 X  Against HTML                mouse%rodents-montreal.org@localhost
/ \ Email!           7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B

References:
- Re: MacPPC serial ports in 4.0.1 - not quite
  - From: Izumi Tsutsui
- [OT] SSH throttle - security
  - From: Donald Lee

Prev by Date: Re: [OT] SSH throttle - security
Next by Date: Re: [OT] SSH throttle - security
Previous by Thread: Re: [OT] SSH throttle - security
Next by Thread: Re: [OT] SSH throttle - security
Indexes:

Home | Main Index | Thread Index | Old Index