Preventing brute force ssh attacks

Preventing brute force ssh attacks

Posted Oct 25, 2007 14:03 UTC (Thu) by Tet (subscriber, #5433)
Parent article: Preventing brute force ssh attacks

If a host exceeds that limit, its IP address is not allowed to make ssh connections for another minute. This slows down the traffic rather severely, but does have some drawbacks

Of course, the problem with that is the existence of legitimate access patterns that hit the ssh server many times a second. The darcs source control system, for example, uses a new ssh connection for each patch when syncing two repositories. Whether that's a sane thing to be doing is questionable, but it's the current behaviour. Using ssh connection sharing is probably helpful here, but it's simply not viable to expect users to know about that.

---

(Log in to post comments)

With OpenSSH, I think you could address this issue by configuring SSH to reuse existing
connections, rather than spawning new ones. You'd even get a performance improvement. See the
ControlMaster and ControlPath configuration directives in ssh_config(5)

This approach sort of works.  But there is a bug in ssh that causes it to occasionally hang
when working with a control master.  So it's not yet a general solution.  :(

(And no, I've no idea what triggers this bug, it appears to be platform-dependent, showing up
more often on MacOS X.  And yes, it's been reported to the OpenSSH developers.)