Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. OpenSSH>
  3. Dev
how to block brute force attacks on reverse tunnels?
srn at coolheads
Apr 25, 2024, 8:14 AM
Post #1 of 5 (37 views)
Permalink
For many years I've been running ssh reverse tunnels on portable Linux,
OpenWRT, Android etc. hosts so they can be accessed from a server whose
IP is stable (I call such a server a "nexus host"). Increasingly there's
a problem with brute force attacks on the nexus host's tunnel ports. The
attack is forwarded to the portable tunneling host, where it fails, but
it chews up a lot of resources and wants to be stopped. At the portable
tunneling host, fail2ban can't be used to block the attacker's IP
because when the attack arrives, it appears to the ssh daemon to be
arriving from localhost (127.0.0.1). I'm not sure the attacker's IP can
even be known at the portable host (openssh developers: can it?), and
anyway it needs to be blocked by the nexus host before it can chew up
yet more bandwidth.

The right answer might involve having the portable tunneling host inform
the nexus host that an attack was forwarded on a particular port at a
particular time. Then the nexus host, having kept a lot of records of
such things, would look up the miscreant IP on that basis, add it to the
banned ipset, and the attack would stop. Sounds inelegant and perhaps
dangerous.

Thoughts?
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: how to block brute force attacks on reverse tunnels? [ In reply to ]
gert at greenie
Apr 25, 2024, 9:14 AM
Post #2 of 5 (37 views)
Permalink
Hi,

On Thu, Apr 25, 2024 at 11:14:56AM -0400, Steve Newcomb wrote:
> For many years I've been running ssh reverse tunnels on portable Linux,
> OpenWRT, Android etc. hosts so they can be accessed from a server whose IP
> is stable (I call such a server a "nexus host").

I tend to close everything "towards the Internet", except a single SSH
port which is then set to pubkey-only.

So you'd need to login to the nexus host and jump onwards from there
("ssh -J nexus-host" :) ) - which is not what you have been asking for,
but might be easier to achieve.

gert

--
"If was one thing all people took for granted, was conviction that if you
feed honest figures into a computer, honest figures come out. Never doubted
it myself till I met a computer with a sense of humor."
Robert A. Heinlein, The Moon is a Harsh Mistress

Gert Doering - Munich, Germany gert@greenie.muc.de
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: how to block brute force attacks on reverse tunnels? [ In reply to ]
Jochen.Bern at binect
Apr 25, 2024, 10:44 AM
Post #3 of 5 (37 views)
Permalink
On 25.04.24 17:15, openssh-unix-dev-request@mindrot.org digested:
> Subject: how to block brute force attacks on reverse tunnels?
> From: Steve Newcomb <srn@coolheads.com>
> Date: 25.04.24, 17:14
>
> For many years I've been running ssh reverse tunnels on portable Linux,
> OpenWRT, Android etc. hosts so they can be accessed from a server whose
> IP is stable (I call such a server a "nexus host"). Increasingly there's
> a problem with brute force attacks on the nexus host's tunnel ports. The
> attack is forwarded to the portable tunneling host, where it fails, but
> it chews up a lot of resources and wants to be stopped. At the portable
> tunneling host, fail2ban can't be used to block the attacker's IP because
> when the attack arrives, it appears to the ssh daemon to be arriving from
> localhost (127.0.0.1). I'm not sure the attacker's IP can even be known
> at the portable host (openssh developers: can it?), and anyway it needs
> to be blocked by the nexus host before it can chew up yet more bandwidth.

I take it that checking users/clients as they show up at the hub
server's door in the first place is, for some reason, infeasible?

(We have solutions in prod where devices on customer premises similarly
create a tunnel(-end) on our server to connect to their sshd, *but*
users have to authenticate as they SSH or VPN to that server in the
first place and the tunnel is restricted to localhost or VPN client pool
IPs.)

Kind regards,
--
Jochen Bern
Systemingenieur

Binect GmbH

Attached Files:

Re: how to block brute force attacks on reverse tunnels? [ In reply to ]
jan at schermer
Apr 25, 2024, 10:50 AM
Post #4 of 5 (37 views)
Permalink
I use Shorewall rule for stuff like this,you would do this on the internet-facing host:

ACCEPT all fw tcp 22 - - s:3/min:2

https://shorewall.org/ConnectionRate.html


This limits the connection rate to the tunnel ports.
Another option is some form of port knocking (but I’m not a fan of those).
Or just do a proper VPN and only expose the ports to the VPN clients...

Jan

> On 25. 4. 2024, at 19:44, Jochen Bern <Jochen.Bern@binect.de> wrote:
>
> On 25.04.24 17:15, openssh-unix-dev-request@mindrot.org digested:
>> Subject: how to block brute force attacks on reverse tunnels?
>> From: Steve Newcomb <srn@coolheads.com>
>> Date: 25.04.24, 17:14
>> For many years I've been running ssh reverse tunnels on portable Linux,
>> OpenWRT, Android etc. hosts so they can be accessed from a server whose
>> IP is stable (I call such a server a "nexus host"). Increasingly there's
>> a problem with brute force attacks on the nexus host's tunnel ports. The
>> attack is forwarded to the portable tunneling host, where it fails, but
>> it chews up a lot of resources and wants to be stopped. At the portable
>> tunneling host, fail2ban can't be used to block the attacker's IP because
>> when the attack arrives, it appears to the ssh daemon to be arriving from
>> localhost (127.0.0.1). I'm not sure the attacker's IP can even be known
>> at the portable host (openssh developers: can it?), and anyway it needs
>> to be blocked by the nexus host before it can chew up yet more bandwidth.
>
> I take it that checking users/clients as they show up at the hub server's door in the first place is, for some reason, infeasible?
>
> (We have solutions in prod where devices on customer premises similarly create a tunnel(-end) on our server to connect to their sshd, *but* users have to authenticate as they SSH or VPN to that server in the first place and the tunnel is restricted to localhost or VPN client pool IPs.)
>
> Kind regards,
> --
> Jochen Bern
> Systemingenieur
>
> Binect GmbH
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev@mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: how to block brute force attacks on reverse tunnels? [ In reply to ]
jan at schermer
Apr 25, 2024, 10:50 AM
Post #5 of 5 (37 views)
Permalink
I use Shorewall rule for stuff like this,you would do this on the internet-facing host:

ACCEPT all fw tcp 22 - - s:3/min:2

https://shorewall.org/ConnectionRate.html


This limits the connection rate to the tunnel ports.
Another option is some form of port knocking (but I’m not a fan of those).
Or just do a proper VPN and only expose the ports to the VPN clients...

Jan

> On 25. 4. 2024, at 19:44, Jochen Bern <Jochen.Bern@binect.de> wrote:
>
> On 25.04.24 17:15, openssh-unix-dev-request@mindrot.org digested:
>> Subject: how to block brute force attacks on reverse tunnels?
>> From: Steve Newcomb <srn@coolheads.com>
>> Date: 25.04.24, 17:14
>> For many years I've been running ssh reverse tunnels on portable Linux,
>> OpenWRT, Android etc. hosts so they can be accessed from a server whose
>> IP is stable (I call such a server a "nexus host"). Increasingly there's
>> a problem with brute force attacks on the nexus host's tunnel ports. The
>> attack is forwarded to the portable tunneling host, where it fails, but
>> it chews up a lot of resources and wants to be stopped. At the portable
>> tunneling host, fail2ban can't be used to block the attacker's IP because
>> when the attack arrives, it appears to the ssh daemon to be arriving from
>> localhost (127.0.0.1). I'm not sure the attacker's IP can even be known
>> at the portable host (openssh developers: can it?), and anyway it needs
>> to be blocked by the nexus host before it can chew up yet more bandwidth.
>
> I take it that checking users/clients as they show up at the hub server's door in the first place is, for some reason, infeasible?
>
> (We have solutions in prod where devices on customer premises similarly create a tunnel(-end) on our server to connect to their sshd, *but* users have to authenticate as they SSH or VPN to that server in the first place and the tunnel is restricted to localhost or VPN client pool IPs.)
>
> Kind regards,
> --
> Jochen Bern
> Systemingenieur
>
> Binect GmbH
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev@mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal