On Tue, Feb 24, 2015 at 8:45 AM, Stephen John Smoogen <smooge(a)gmail.com> wrote:
On 24 February 2015 at 05:46, Hubert Kario <hkario(a)redhat.com> wrote:
>
> On Tuesday 24 February 2015 13:08:46 Tomas Mraz wrote:
> > On Út, 2015-02-24 at 12:32 +0100, Hubert Kario wrote:
>
> > > rate limiting and denyhosts have no impact what so ever when the
> > > attacker
> > > has a botnet to his disposal
> >
> > Large botnet means that the attack is targeted. I do not think we can
> > prevent targeted attack against weak password in the default
> > configuration. What we should aim at is prevention of non-targeted
> > attacks such as attacks you can see when you open ssh port on a public
> > IP almost immediately. These attacks usually come from single IP
> > address.
>
> Not necessarily, I've seen both - where an IP did try just 2 or 3
> password/user combinations and ones that did try dozens.
>
> Having access to botnet is not uncommon or expensive, making it possible
> for
> "bored student" kind of targeted attacks. You can do low level of such an
> attack with just EC2.
>
> I'm not saying that we shouldn't have rate limiting, but it shouldn't be
> the
> only thing above simple dictionary check.
>
That matches what I am seeing with a couple of random servers I have out
there. The number of attacks where IP address one is doing
apple:apple
apple:123456
apple:trustn01
apple:...
bob:bob
bob:123456
bob:trustn01
bob:password
Half of these will be allowed with the current installer behavior:
# pwscore
apple:123456
55
# pwscore
apple:trustn01
84
# pwscore
bob:trustn01
55
# pwscore
bob:password
58
--
Chris Murphy