On Tuesday 24 February 2015 08:53:04 Chris Murphy wrote:
On Tue, Feb 24, 2015 at 8:45 AM, Stephen John Smoogen
> On 24 February 2015 at 05:46, Hubert Kario
>> On Tuesday 24 February 2015 13:08:46 Tomas Mraz wrote:
>> > On Út, 2015-02-24 at 12:32 +0100, Hubert Kario wrote:
>> > > rate limiting and denyhosts have no impact what so ever when the
>> > > attacker
>> > > has a botnet to his disposal
>> > Large botnet means that the attack is targeted. I do not think we can
>> > prevent targeted attack against weak password in the default
>> > configuration. What we should aim at is prevention of non-targeted
>> > attacks such as attacks you can see when you open ssh port on a public
>> > IP almost immediately. These attacks usually come from single IP
>> > address.
>> Not necessarily, I've seen both - where an IP did try just 2 or 3
>> password/user combinations and ones that did try dozens.
>> Having access to botnet is not uncommon or expensive, making it possible
>> "bored student" kind of targeted attacks. You can do low level of such
>> attack with just EC2.
>> I'm not saying that we shouldn't have rate limiting, but it
>> only thing above simple dictionary check.
> That matches what I am seeing with a couple of random servers I have out
> there. The number of attacks where IP address one is doing
Half of these will be allowed with the current installer behavior:
I think that Stephen meant:
for user name 'apple' the attacker tries 'apple', '123456',
for user name 'bob'...
But yes, 'trustn01' is accepted, with score of 1
though if trustn01 is really a third password tested it's rather surprising,
it is on 83823 position (tied with 3493 other passwords) in the RockYou list
Quality Engineer, QE BaseOS Security team
Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic