On 24 February 2015 at 08:53, Chris Murphy <lists@colorremedies.com> wrote:
On Tue, Feb 24, 2015 at 8:45 AM, Stephen John Smoogen <smooge@gmail.com> wrote:
>
>
> On 24 February 2015 at 05:46, Hubert Kario <hkario@redhat.com> wrote:
>>
>> On Tuesday 24 February 2015 13:08:46 Tomas Mraz wrote:
>> > On Út, 2015-02-24 at 12:32 +0100, Hubert Kario wrote:
>>
>> > > rate limiting and denyhosts have no impact what so ever when the
>> > > attacker
>> > > has a botnet to his disposal
>> >
>> > Large botnet means that the attack is targeted. I do not think we can
>> > prevent targeted attack against weak password in the default
>> > configuration. What we should aim at is prevention of non-targeted
>> > attacks such as attacks you can see when you open ssh port on a public
>> > IP almost immediately. These attacks usually come from single IP
>> > address.
>>
>> Not necessarily, I've seen both - where an IP did try just 2 or 3
>> password/user combinations and ones that did try dozens.
>>
>> Having access to botnet is not uncommon or expensive, making it possible
>> for
>> "bored student" kind of targeted attacks. You can do low level of such an
>> attack with just EC2.
>>
>> I'm not saying that we shouldn't have rate limiting, but it shouldn't be
>> the
>> only thing above simple dictionary check.
>>
>
> That matches what I am seeing with a couple of random servers I have out
> there. The number of attacks where IP address one is doing
>
> apple:apple
> apple:123456
> apple:trustn01
> apple:...
> bob:bob
> bob:123456
> bob:trustn01
> bob:password

Half of these will be allowed with the current installer behavior:
# pwscore
apple:123456
55
# pwscore
apple:trustn01
84
# pwscore
bob:trustn01
55
# pwscore
bob:password
58


Uhm that was meant to be account name : password so you should only test what is after the : 


--
Stephen J Smoogen.