Menu
What's new
By:
Filters Better Search

SSH Brute Force Attacks

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

B

bpearse

Occasional Visitor
I see that there is an option under "Administration/System/Miscellaneous" for Enable Brute Force Protection. I am curious what this option does. Does it adjust iptables similar to this thread?

Iptables settings against attacks
 
Yes. It limits connection attempts to sshd to a maximum of 4 every 60 seconds from a given IP.
 
Yes, it creates this chain:
Code: 
Chain SSHBFP (1 references)
target     prot opt source               destination
           all  --  anywhere             anywhere            recent: SET name: SSH side: source
DROP       all  --  anywhere             anywhere            recent: UPDATE seconds: 60 hit_count: 4 name: SSH side: source
ACCEPT     all  --  anywhere             anywhere
 
Not working?

Uh, I have the Brute Force Protection enabled in GUI, but it does not seem to help. Here is my 'China Syndrome' from syslog. Maybe need to adjust the variables, as in 4 attempts every 60 minutes?

Code: 
Oct  7 20:00:08 dropbear[1096]: Login attempt for nonexistent user from 203.199.194.66:50870
Oct  7 20:00:09 dropbear[1096]: Exit before auth: Disconnect received
Oct  7 20:00:10 dropbear[1097]: Child connection from 203.199.194.66:51077
Oct  7 20:00:13 dropbear[1097]: Login attempt for nonexistent user from 203.199.194.66:51077
Oct  7 20:00:14 dropbear[1097]: Exit before auth: Disconnect received
Oct  7 20:00:15 dropbear[1098]: Child connection from 203.199.194.66:51256
Oct  7 20:00:17 dropbear[1098]: Login attempt for nonexistent user from 203.199.194.66:51256
Oct  7 20:00:18 dropbear[1098]: Exit before auth: Disconnect received
Oct  7 20:08:04 dropbear[1099]: Child connection from 199.115.230.115:59952
Oct  7 20:08:04 dropbear[1099]: Exit before auth: Exited normally
Oct  7 20:12:23 dropbear[1100]: Child connection from 199.115.230.115:52947
Oct  7 20:12:24 dropbear[1100]: Login attempt for nonexistent user from 199.115.230.115:52947
Oct  7 20:12:25 dropbear[1100]: Exit before auth: Disconnect received
Oct  7 20:12:25 dropbear[1101]: Child connection from 199.115.230.115:53295
Oct  7 20:12:26 dropbear[1101]: Login attempt for nonexistent user from 199.115.230.115:53295
Oct  7 20:12:27 dropbear[1101]: Exit before auth: Disconnect received
Oct  7 20:12:27 dropbear[1102]: Child connection from 199.115.230.115:53421
Oct  7 20:12:28 dropbear[1102]: Login attempt for nonexistent user from 199.115.230.115:53421
Oct  7 20:12:29 dropbear[1102]: Exit before auth: Disconnect received
Oct  7 20:20:25 dropbear[1103]: Child connection from 199.115.230.115:57995
Oct  7 20:20:26 dropbear[1103]: Login attempt for nonexistent user from 199.115.230.115:57995
Oct  7 20:20:27 dropbear[1103]: Exit before auth: Disconnect received
Oct  7 20:20:27 dropbear[1104]: Child connection from 199.115.230.115:58215
Oct  7 20:20:28 dropbear[1104]: Login attempt for nonexistent user from 199.115.230.115:58215
Oct  7 20:20:29 dropbear[1104]: Exit before auth: Disconnect received
Oct  7 20:20:29 dropbear[1105]: Child connection from 199.115.230.115:58482
Oct  7 20:20:30 dropbear[1105]: Login attempt for nonexistent user from 199.115.230.115:58482
Oct  7 20:20:31 dropbear[1105]: Exit before auth: Disconnect received
Oct  7 20:28:25 dropbear[1106]: Child connection from 199.115.230.115:43132
Oct  7 20:28:26 dropbear[1106]: Login attempt for nonexistent user from 199.115.230.115:43132
Oct  7 20:28:27 dropbear[1106]: Exit before auth: Disconnect received
Oct  7 20:28:27 dropbear[1107]: Child connection from 199.115.230.115:43339
Oct  7 20:28:28 dropbear[1107]: Login attempt for nonexistent user from 199.115.230.115:43339
Oct  7 20:28:29 dropbear[1107]: Exit before auth: Disconnect received
Oct  7 20:28:29 dropbear[1108]: Child connection from 199.115.230.115:43554
Oct  7 20:28:30 dropbear[1108]: Login attempt for nonexistent user from 199.115.230.115:43554
Oct  7 20:33:31 dropbear[1108]: Exit before auth: Timeout before auth
Oct  7 20:34:00 dropbear[1109]: Child connection from 199.115.230.115:46911
Oct  7 20:34:01 dropbear[1109]: Login attempt for nonexistent user from 199.115.230.115:46911
Oct  7 20:34:02 dropbear[1109]: Exit before auth: Disconnect received
Oct  7 20:34:02 dropbear[1110]: Child connection from 199.115.230.115:47123
Oct  7 20:34:03 dropbear[1110]: Login attempt for nonexistent user from 199.115.230.115:47123
Oct  7 20:34:04 dropbear[1110]: Exit before auth: Disconnect received
Oct  7 20:34:04 dropbear[1111]: Child connection from 199.115.230.115:47360
Oct  7 20:34:05 dropbear[1111]: Login attempt for nonexistent user from 199.115.230.115:47360
Oct  7 20:34:06 dropbear[1111]: Exit before auth: Disconnect received
Oct  7 20:41:51 dropbear[1112]: Child connection from 199.115.230.115:59077
Oct  7 20:41:52 dropbear[1112]: Login attempt for nonexistent user from 199.115.230.115:59077
Oct  7 20:41:53 dropbear[1112]: Exit before auth: Disconnect received
Oct  7 20:41:53 dropbear[1113]: Child connection from 199.115.230.115:59298
Oct  7 20:41:55 dropbear[1113]: Login attempt for nonexistent user from 199.115.230.115:59298
Oct  7 20:41:55 dropbear[1113]: Exit before auth: Disconnect received
Oct  7 20:41:55 dropbear[1114]: Child connection from 199.115.230.115:59554
Oct  7 20:41:57 dropbear[1114]: Login attempt for nonexistent user from 199.115.230.115:59554
Oct  7 20:41:57 dropbear[1114]: Exit before auth: Disconnect received
Oct  7 20:50:04 dropbear[1115]: Child connection from 199.115.230.115:46461
Oct  7 20:50:06 dropbear[1115]: Login attempt for nonexistent user from 199.115.230.115:46461
Oct  7 20:50:06 dropbear[1115]: Exit before auth: Disconnect received
Oct  7 20:50:10 dropbear[1116]: Child connection from 199.115.230.115:46660
Oct  7 20:50:11 dropbear[1116]: Login attempt for nonexistent user from 199.115.230.115:46660
Oct  7 20:50:11 dropbear[1116]: Exit before auth: Disconnect received
Oct  7 20:50:12 dropbear[1117]: Child connection from 199.115.230.115:47201
Oct  7 20:50:13 dropbear[1117]: Login attempt for nonexistent user from 199.115.230.115:47201
Oct  7 20:50:13 dropbear[1117]: Exit before auth: Disconnect received
Oct  7 21:00:00 dropbear[1118]: Child connection from 199.115.230.115:59508
Oct  7 21:00:01 dropbear[1118]: Login attempt for nonexistent user from 199.115.230.115:59508
Oct  7 21:00:02 dropbear[1118]: Exit before auth: Disconnect received
Oct  7 21:00:02 dropbear[1119]: Child connection from 199.115.230.115:59687
Oct  7 21:00:03 dropbear[1119]: Login attempt for nonexistent user from 199.115.230.115:59687
Oct  7 21:00:04 dropbear[1119]: Exit before auth: Disconnect received
Oct  7 21:00:04 dropbear[1120]: Child connection from 199.115.230.115:59905
Oct  7 21:00:06 dropbear[1120]: Login attempt for nonexistent user from 199.115.230.115:59905
Oct  7 21:00:07 dropbear[1120]: Exit before auth: Disconnect received
Oct  7 21:10:21 dropbear[1121]: Child connection from 199.115.230.115:47454
Oct  7 21:10:22 dropbear[1121]: Login attempt for nonexistent user from 199.115.230.115:47454
Oct  7 21:10:23 dropbear[1121]: Exit before auth: Disconnect received
Oct  7 21:10:23 dropbear[1122]: Child connection from 199.115.230.115:47616
Oct  7 21:10:24 dropbear[1122]: Login attempt for nonexistent user from 199.115.230.115:47616
Oct  7 21:10:25 dropbear[1122]: Exit before auth: Disconnect received
Oct  7 21:10:25 dropbear[1123]: Child connection from 199.115.230.115:47838
Oct  7 21:10:26 dropbear[1123]: Login attempt for nonexistent user from 199.115.230.115:47838
Oct  7 21:10:27 dropbear[1123]: Exit before auth: Disconnect received
 
Last edited:
4 attempts every 60 minutes would be a bit radical, as any legitimate trouble logging in would lock you out for a whole hour. The goal of limiting connections to 4 per minute is enough to ensure that it won't be possible to do any effective brute force attack, it's not meant to completely prevent them from trying. Notice that a lot of those connection attempts reoccur 8-10 minutes later, so the block is effective in slowing them down enough to ensure they can't force they way in.
 
RMerlin said:
4 attempts every 60 minutes would be a bit radical, as any legitimate trouble logging in would lock you out for a whole hour. The goal of limiting connections to 4 per minute is enough to ensure that it won't be possible to do any effective brute force attack, it's not meant to completely prevent them from trying. Notice that a lot of those connection attempts reoccur 8-10 minutes later, so the block is effective in slowing them down enough to ensure they can't force they way in.
Click to expand...

Doh! You are right. I did not really notice the time stamps. So the iptables settings are indeed working as they should.
 
You must log in or register to reply here.

Similar threads

PR3MIUM
News Cisco warns of large-scale brute-force attacks against VPN and SSH services
Replies
2
Views
699
Paliv
P
F
Release ASUS ZenWiFi XD4 Firmware version 3.0.0.4.388_25041 (2024/09/05)
Replies
3
Views
462
xgrey
X
R
Prevent SSH Disconnect / Timeout around ~ 105-116 seconds from last activity on terminal session
Replies
7
Views
1K
ColinTaylor
C
escape75
RT-AX68U Merlin vs. 3.0.0.4.388_24646
Replies
0
Views
819
escape75
escape75
visortgw
Release ASUS RT-AX82U Firmware version 3.0.0.4.388_24231
Replies
0
Views
2K
visortgw
visortgw
Similar threads
Thread starter Title Forum Replies Date
W Question: About AX4200 regarding SSH support and Entware Asuswrt-Merlin 23
S restart web server from SSH Asuswrt-Merlin 8
K Toggle VPN Director rules for WireGuard via SSH Asuswrt-Merlin 2
M ssh access with DNS name takes a long time where it did not used to Asuswrt-Merlin 0
William Higgs Ssh to router logging in as wrong user? Asuswrt-Merlin 3
S Route add via SSH - persistent-how? Asuswrt-Merlin 4
G RESOLVED: Lost access to WebUI from LAN, SSH is working Asuswrt-Merlin 1
W Tera Term can't SSH connect to router running Merlin 384, but works when flash back to ASUS stock FW Asuswrt-Merlin 6
R Prevent SSH Disconnect / Timeout around ~ 105-116 seconds from last activity on terminal session Asuswrt-Merlin 7
H Asus RT-AC68U SSH not responsive after time, reboot not helping. Asuswrt-Merlin 4

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Staff online

Members online

Total: 1,197 (members: 26, guests: 1,171)
Top