SSH IP Block Listing

Introduction

SSH IP block listing is a feature that reduces the attack surface of the Secret Server SSH proxy and SSH terminal services.

Enabled by default, the feature adds to a block list any single IP address that fails to authenticate a number of connections across a defined time period. Once on the block list, the client IP is rejected when initiating an SSH connection, reducing the chances of a successful brute-force credential or denial of service (DOS) attack.

SSH Block Listing Rules

Client Override Settings

Client override settings allow creating allow/block lists, and blocked IP administration is provided via IP restriction administration.

Examples:

  • A blocked IP is allowed if in a bypass allow-list entry
  • A normally unblocked IP is blocked if included in a block list entry

Default Rules

The defaults are:

  • SSH block listing is enabled
  • Five connection attempts are allowed in a 30-minute period

  • The amount of history kept per client can be adjusted but must be greater than or equal to the Max Attempts

That is, any single IP that fails to authenticate five times in any one 30 minute period is added to a permanent block list.

SSH Proxy Block List Settings

The feature is administered via Admin > Proxying > SSH Proxy:

image-20230109111852195

SSH proxy block-list settings:

  • Enable Block Listing: Enable or disable the SSH block listing feature. When enabled, IPs reaching the defined blocking threshold are automatically added to the SSH IP restrictions block list. When disabled, all IP addresses are able to connect and attempt to authenticate an unrestricted number of times.

  • Auto Block Max Attempts: The maximum failed or unauthenticated connections allowed.

  • Auto Block Max History: The maximum number of attempts to keep in each clients history.

  • Auto Block Time Frame (minutes): The period length during which the "Auto Block Max Attempts" must reach before a client IP is added to the block list.

Client Override IP Address Ranges

You can configure specific IP address ranges to always allow or always block an incoming connection. If allowed, authentication is still required to access the SSH proxy or SSH terminal services.

To add a range:

  1. Scroll down on the same tab:

    image-20230109123320531

  2. Click the Add link. A popup appears:

    image-20230109123402543

  3. Type an IP address or range in the Range text box. You can use CIDR notation. Examples:

    • 192.168.3.12
    • 192.168.42.147-192.168.42.194
    • 192.168.3.52/22

  4. Click the Client Type dropdown list to select Allow List or Block List.

  5. Click the Save button. Your choices appear:

    image-20230109123013741

    These rules have priority over individual IP client settings in the SSH IP restrictions list.

IP Address Management

SSH IP Restrictions

Client IP address management is accessed via Admin > Proxying > SSH IP Restrictions:

image-20230109124313625

This page lists client IP addresses that were added by a connection exceeding the limits allowed for failed or unauthenticated attempts to one of the proxy endpoints, including any that have been previously reclassified.

The list has a number of built in display filters:

  • All
  • Allow List
  • Block List
  • Unknown

Use the search feature to locate specific IP addresses.

Managing IP Addresses

If an IP address is located on the SSH IP Restrictions page, you can view or edit its current SSH proxy block status. For example, a user may have inadvertently blocked her client IP for a number of reasons, such as testing the connection too many times in a short time period or performing a vulnerability or port scan against the proxy endpoint IP addresses.

Client Types

The SSH IP Restrictions page categorizes clients as follows:

Client Type Access Rule Type Description Notes
Allow List Yes Static These IPs are allowed. Meeting the automatic blocking thresholds will not result in block listing. Could be useful to allow list a vulnerability scanner. Is overridden by a matching override block list.
Block List No Static These IPs are always blocked. Is overridden by a matching override allow list.
Unknown Yes Dynamic These are IPs that have previously accessed the SSH proxy and have not met the automatic block thresholds. They are in neither static allow nor block states This is a client default, even if covered by a override allow or block list.

IP Address Activity

The SSH IP Restrictions page allows you to view the connection history for an IP address:

Text Description automatically generated

This shows the authentication status of each connection attempt, which is especially helpful when troubleshooting SSH terminal connectivity.

Blocking or Unblocking Client IPs

  1. Go to the SSH IP Restrictions tab:

    image-20230109124313625

  2. Locate the desired IP address in the list using the filter and search features.

  3. Click the Edit link to the right of that IP address in the list. A popup appears.

  4. Click the Client Type dropdown list to select either Allow List or Block List for the client type.

  5. Click the Save button.

Troubleshooting

If a user reports he or she is unable to connect an SSH proxied or tunneled secret launcher for IPs included in the block list, you will see the following logging:

Secret Server On-Premises

For Secret Server On-Premises where the SSH proxy is on a web-node (IIS):

Path: c:\inetpub\wwwroot\SecretServer\log\SS.log

Message:

INFO Thycotic.SSHProxy.SSHServer - SSHProxy_Server_ConnectionReceivedINFO Thycotic.SSHProxy.Logic.ConnectionBridge - SSHProxy_Client_Stopped_NoAuthWARN Thycotic.SSHProxy.Logic.ConnectionBridge - SSH Proxy host 10.12.60.148:22 refused a connection from client 10.12.60.106:52572 for too many failed authentication attempts. If this was in error, please go to Admin > Proxying, click the SSH IP Restrictions tab and update the Client Type to Allow List for this client IP.

Distributed Engines

For Secret Server Cloud or On-Premises with a distributed engine:

Path: C:\ Program Files\Thycotic Software Ltd\Distributed Engine\log\SSDE.log

Message:

INFO Thycotic.SSHProxy.SSHServer - SSHProxy_Server_ConnectionReceived - String[] {10.12.60.148:22, 10.12.60.106:50182}INFO Thycotic.SSHProxy.Logic.ConnectionBridge - SSHProxy_Client_Stopped_NoAuth - String[] {}~WARN Thycotic.SSHProxy.Logic.ConnectionBridge - SSHProxy_Server_ConnectionRefused - (null)INFO Thycotic.SSHProxy.Logic.ClientToServerConnection - ClientToServerConnection, buffer, and tunnel disposed - (null)