On Tuesday 24 February 2015 08:53:04 Chris Murphy wrote:
On Tue, Feb 24, 2015 at 8:45 AM, Stephen John Smoogen
<smooge(a)gmail.com>
wrote:
> On 24 February 2015 at 05:46, Hubert Kario
<hkario(a)redhat.com> wrote:
>> On Tuesday 24 February 2015 13:08:46 Tomas Mraz wrote:
>> > On Út, 2015-02-24 at 12:32 +0100, Hubert Kario wrote:
>> > > rate limiting and denyhosts have no impact what so ever when the
>> > > attacker
>> > > has a botnet to his disposal
>> >
>> > Large botnet means that the attack is targeted. I do not think we can
>> > prevent targeted attack against weak password in the default
>> > configuration. What we should aim at is prevention of non-targeted
>> > attacks such as attacks you can see when you open ssh port on a public
>> > IP almost immediately. These attacks usually come from single IP
>> > address.
>>
>> Not necessarily, I've seen both - where an IP did try just 2 or 3
>> password/user combinations and ones that did try dozens.
>>
>> Having access to botnet is not uncommon or expensive, making it possible
>> for
>> "bored student" kind of targeted attacks. You can do low level of such
an
>> attack with just EC2.
>>
>> I'm not saying that we shouldn't have rate limiting, but it
shouldn't be
>> the
>> only thing above simple dictionary check.
>
> That matches what I am seeing with a couple of random servers I have out
> there. The number of attacks where IP address one is doing
>
> apple:apple
> apple:123456
> apple:trustn01
> apple:...
> bob:bob
> bob:123456
> bob:trustn01
> bob:password
Half of these will be allowed with the current installer behavior:
# pwscore
apple:123456
55
# pwscore
apple:trustn01
84
# pwscore
bob:trustn01
55
# pwscore
bob:password
58
I think that Stephen meant:
for user name 'apple' the attacker tries 'apple', '123456',
'trustn01', etc.
for user name 'bob'...
But yes, 'trustn01' is accepted, with score of 1
though if trustn01 is really a third password tested it's rather surprising,
it is on 83823 position (tied with 3493 other passwords) in the RockYou list
--
Regards,
Hubert Kario
Quality Engineer, QE BaseOS Security team
Web:
www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic