<div dir="ltr"><br><div class="gmail_extra"><br><div class="gmail_quote">On 24 February 2015 at 08:59, Hubert Kario <span dir="ltr"><<a href="mailto:hkario@redhat.com" target="_blank">hkario@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="HOEnZb"><div class="h5">On Tuesday 24 February 2015 08:53:04 Chris Murphy wrote:<br>
> On Tue, Feb 24, 2015 at 8:45 AM, Stephen John Smoogen <<a href="mailto:smooge@gmail.com">smooge@gmail.com</a>><br>
wrote:<br>
> > On 24 February 2015 at 05:46, Hubert Kario <<a href="mailto:hkario@redhat.com">hkario@redhat.com</a>> wrote:<br>
> >> On Tuesday 24 February 2015 13:08:46 Tomas Mraz wrote:<br>
> >> > On Út, 2015-02-24 at 12:32 +0100, Hubert Kario wrote:<br>
> >> > > rate limiting and denyhosts have no impact what so ever when the<br>
> >> > > attacker<br>
> >> > > has a botnet to his disposal<br>
> >> ><br>
> >> > Large botnet means that the attack is targeted. I do not think we can<br>
> >> > prevent targeted attack against weak password in the default<br>
> >> > configuration. What we should aim at is prevention of non-targeted<br>
> >> > attacks such as attacks you can see when you open ssh port on a public<br>
> >> > IP almost immediately. These attacks usually come from single IP<br>
> >> > address.<br>
> >><br>
> >> Not necessarily, I've seen both - where an IP did try just 2 or 3<br>
> >> password/user combinations and ones that did try dozens.<br>
> >><br>
> >> Having access to botnet is not uncommon or expensive, making it possible<br>
> >> for<br>
> >> "bored student" kind of targeted attacks. You can do low level of such an<br>
> >> attack with just EC2.<br>
> >><br>
> >> I'm not saying that we shouldn't have rate limiting, but it shouldn't be<br>
> >> the<br>
> >> only thing above simple dictionary check.<br>
> ><br>
> > That matches what I am seeing with a couple of random servers I have out<br>
> > there. The number of attacks where IP address one is doing<br>
> ><br>
> > apple:apple<br>
> > apple:123456<br>
> > apple:trustn01<br>
> > apple:...<br>
> > bob:bob<br>
> > bob:123456<br>
> > bob:trustn01<br>
> > bob:password<br>
><br>
> Half of these will be allowed with the current installer behavior:<br>
> # pwscore<br>
> apple:123456<br>
> 55<br>
> # pwscore<br>
> apple:trustn01<br>
> 84<br>
> # pwscore<br>
> bob:trustn01<br>
> 55<br>
> # pwscore<br>
> bob:password<br>
> 58<br>
<br>
</div></div>I think that Stephen meant:<br>
for user name 'apple' the attacker tries 'apple', '123456', 'trustn01', etc.<br>
for user name 'bob'...<br>
<br>
But yes, 'trustn01' is accepted, with score of 1<br>
<br>
though if trustn01 is really a third password tested it's rather surprising,<br>
it is on 83823 position (tied with 3493 other passwords) in the RockYou list<br>
<div class="HOEnZb"><div class="h5"><br></div></div></blockquote><div><br></div><div>That was just me remembering what passwords that I saw coming in versus actual statistics. I apologize for misleading you in that way. </div></div><div><br></div>-- <br><div class="gmail_signature"><div dir="ltr">Stephen J Smoogen.<br><br></div></div>
</div></div>