how to block brute force attacks on reverse tunnels?
Steve Newcomb
srn at coolheads.com
Fri Apr 26 01:14:56 AEST 2024
For many years I've been running ssh reverse tunnels on portable Linux,
OpenWRT, Android etc. hosts so they can be accessed from a server whose
IP is stable (I call such a server a "nexus host"). Increasingly there's
a problem with brute force attacks on the nexus host's tunnel ports. The
attack is forwarded to the portable tunneling host, where it fails, but
it chews up a lot of resources and wants to be stopped. At the portable
tunneling host, fail2ban can't be used to block the attacker's IP
because when the attack arrives, it appears to the ssh daemon to be
arriving from localhost (127.0.0.1). I'm not sure the attacker's IP can
even be known at the portable host (openssh developers: can it?), and
anyway it needs to be blocked by the nexus host before it can chew up
yet more bandwidth.
The right answer might involve having the portable tunneling host inform
the nexus host that an attack was forwarded on a particular port at a
particular time. Then the nexus host, having kept a lot of records of
such things, would look up the miscreant IP on that basis, add it to the
banned ipset, and the attack would stop. Sounds inelegant and perhaps
dangerous.
Thoughts?
More information about the openssh-unix-dev
mailing list