openssh unix dev - Apr 2024 - how to block brute force attacks on reverse tunnels?

On 25.04.24 17:15, openssh-unix-dev-request at mindrot.org
digested:
> Subject: how to block brute force attacks on reverse tunnels?
> From: Steve Newcomb <srn at coolheads.com>
> Date: 25.04.24, 17:14
> 
> For many years I've been running ssh reverse tunnels on portable Linux,
> OpenWRT, Android etc. hosts so they can be accessed from a server whose
> IP is stable (I call such a server a "nexus host"). Increasingly
there's
> a problem with brute force attacks on the nexus host's tunnel ports.
The
> attack is forwarded to the portable tunneling host, where it fails, but
> it chews up a lot of resources and wants to be stopped. At the portable
> tunneling host, fail2ban can't be used to block the attacker's IP
because
> when the attack arrives, it appears to the ssh daemon to be arriving from
> localhost (127.0.0.1). I'm not sure the attacker's IP can even be
known
> at the portable host (openssh developers: can it?), and anyway it needs
> to be blocked by the nexus host before it can chew up yet more bandwidth.
I take it that checking users/clients as they show up at the hub 
server's door in the first place is, for some reason, infeasible?

(We have solutions in prod where devices on customer premises similarly 
create a tunnel(-end) on our server to connect to their sshd, *but* 
users have to authenticate as they SSH or VPN to that server in the 
first place and the tunnel is restricted to localhost or VPN client pool 
IPs.)

Kind regards,
-- 
Jochen Bern
Systemingenieur

Binect GmbH
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3449 bytes
Desc: S/MIME Cryptographic Signature
URL:
<http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20240425/c6981b43/attachment-0001.p7s>

I use Shorewall rule for stuff like this,you would do this on the
internet-facing host:

ACCEPT        all               fw              tcp     22      -       -      
s:3/min:2

https://shorewall.org/ConnectionRate.html


This limits the connection rate to the tunnel ports.
Another option is some form of port knocking (but I?m not a fan of those).
Or just do a proper VPN and only expose the ports to the VPN clients...

Jan
> On 25. 4. 2024, at 19:44, Jochen Bern <Jochen.Bern at binect.de>
wrote:
> 
> On 25.04.24 17:15, openssh-unix-dev-request at mindrot.org digested:
>> Subject: how to block brute force attacks on reverse tunnels?
>> From: Steve Newcomb <srn at coolheads.com>
>> Date: 25.04.24, 17:14
>> For many years I've been running ssh reverse tunnels on portable
Linux,
>> OpenWRT, Android etc. hosts so they can be accessed from a server whose
>> IP is stable (I call such a server a "nexus host").
Increasingly there's
>> a problem with brute force attacks on the nexus host's tunnel
ports. The
>> attack is forwarded to the portable tunneling host, where it fails, but
>> it chews up a lot of resources and wants to be stopped. At the portable
>> tunneling host, fail2ban can't be used to block the attacker's
IP because
>> when the attack arrives, it appears to the ssh daemon to be arriving
from
>> localhost (127.0.0.1). I'm not sure the attacker's IP can even
be known
>> at the portable host (openssh developers: can it?), and anyway it needs
>> to be blocked by the nexus host before it can chew up yet more
bandwidth.
> 
> I take it that checking users/clients as they show up at the hub
server's door in the first place is, for some reason, infeasible?
> 
> (We have solutions in prod where devices on customer premises similarly
create a tunnel(-end) on our server to connect to their sshd, *but* users have
to authenticate as they SSH or VPN to that server in the first place and the
tunnel is restricted to localhost or VPN client pool IPs.)
> 
> Kind regards,
> -- 
> Jochen Bern
> Systemingenieur
> 
> Binect GmbH
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev