[Info-vax] ssh dictionary attacks, DDoS

Hunter Goatley goathunter at goatley.com
Wed Aug 16 16:16:57 EDT 2023 

On 8/14/2023 5:59 PM, Stephen Hoffman wrote:
> 
> Put a three or so second delay ahead of each ssh connection prior to the 
> password processing, and put a five or ten second delay after a failed 
> password, and then a delay again before dropping the connection when 
> disconnecting from a failed login.
> 
> Make the delays adjustable via configuration file or via (gag) logical 
> names or such, if following OpenVMS app configuration UI norms.  I've 
> met a few of these that build the delay within the text shown while 
> stalling, so the characters will dribble back to the originating host.

Nice suggestions, but bots don't really care how long it takes, from 
what I've seen. Depends on the bots, of course.


> Adding support for fail2ban into ssh would be a nice addition if not 
> already present, but adding it is probably more work than adding delays, 
> and less able to handle botnet brute-force and DDoS shenanigans.

That's effectively what MultiNet's Intrusion Prevention Service is doing.

> 
> That's usually either a resource leak, or resource exhaustion when 
> things get too busy and all this as you are well aware, of course.

Yep. I'm just not sure where. The filtering stuff should not be using 
paged pool. The search continues.

> The mail server should probably check the incoming mail server 
> connection DNS for DANE or SPF or such, and force incoming connections 
> to STARTTLS, and quite possibly add an RBL check.

Some of that is being done already. SPF checks are made, but that 
doesn't stop connections. RBL lists are checked, but they're 
surprisingly not very effective (at least the ones I'm using).


> There are a half-dozen or so settings in POSTFIX related to this 
> anti-spam and related processing that can really slow the malicious 
> traffic. (I'd expect OpenSMTPd has some similarities, but haven't had 
> the opportunity to implement that in production.)

PreciseMail does a great job of handling the spam. The problem isn't 
incoming mail, but just the connections that issue AUTH commands 
repeatedly, trying to find something that works. The IPS stops them, but 
there are so many from so many different IP addresses....


> Another option I've used—may or may not be an option here, and that for 
> various reasons—is to relay incoming and outgoing messages via whatever 
> mail server VSI is using, depending on the anti-spam and related 
> capabilities of the VSI mail server. (Yeah, my suggestion around all of 
> this reply including using relay is probably impolitic here, and, yeah, 
> VSI might not want to "share" their mail server.)

Again, the problem isn't mail coming in. It's bots trying to find 
accounts that are valid.

As I said before, blocking certain countries would go a long to stopping 
the problem....

Thanks for your comments!

-- 
Hunter
------
Hunter Goatley, Process Software, http://www.process.com/
goathunter at goatley.com   http://hunter.goatley.com/

More information about the Info-vax mailing list