On 24 February 2015 at 08:59, Hubert Kario <hkario@redhat.com> wrote:
On Tuesday 24 February 2015 08:53:04 Chris Murphy wrote:
> On Tue, Feb 24, 2015 at 8:45 AM, Stephen John Smoogen <smooge@gmail.com>
wrote:
> > On 24 February 2015 at 05:46, Hubert Kario <hkario@redhat.com> wrote:
> >> On Tuesday 24 February 2015 13:08:46 Tomas Mraz wrote:
> >> > On Út, 2015-02-24 at 12:32 +0100, Hubert Kario wrote:
> >> > > rate limiting and denyhosts have no impact what so ever when the
> >> > > attacker
> >> > > has a botnet to his disposal
> >> >
> >> > Large botnet means that the attack is targeted. I do not think we can
> >> > prevent targeted attack against weak password in the default
> >> > configuration. What we should aim at is prevention of non-targeted
> >> > attacks such as attacks you can see when you open ssh port on a public
> >> > IP almost immediately. These attacks usually come from single IP
> >> > address.
> >>
> >> Not necessarily, I've seen both - where an IP did try just 2 or 3
> >> password/user combinations and ones that did try dozens.
> >>
> >> Having access to botnet is not uncommon or expensive, making it possible
> >> for
> >> "bored student" kind of targeted attacks. You can do low level of such an
> >> attack with just EC2.
> >>
> >> I'm not saying that we shouldn't have rate limiting, but it shouldn't be
> >> the
> >> only thing above simple dictionary check.
> >
> > That matches what I am seeing with a couple of random servers I have out
> > there. The number of attacks where IP address one is doing
> >
> > apple:apple
> > apple:123456
> > apple:trustn01
> > apple:...
> > bob:bob
> > bob:123456
> > bob:trustn01
> > bob:password
>
> Half of these will be allowed with the current installer behavior:
> # pwscore
> apple:123456
> 55
> # pwscore
> apple:trustn01
> 84
> # pwscore
> bob:trustn01
> 55
> # pwscore
> bob:password
> 58

I think that Stephen meant:
for user name 'apple' the attacker tries 'apple', '123456', 'trustn01', etc.
for user name 'bob'...

But yes, 'trustn01' is accepted, with score of 1

though if trustn01 is really a third password tested it's rather surprising,
it is on 83823 position (tied with 3493 other passwords) in the RockYou list


That was just me remembering what passwords that I saw coming in versus actual statistics. I apologize for misleading you in that way. 

--
Stephen J Smoogen.