I love IP Tables.... (really sshd attacks)
jdow
jdow at earthlink.net
Sat May 26 00:00:35 UTC 2007
From: "Wolfgang S. Rupprecht" <wolfgang.rupprecht+gnus200705 at gmail.com>
>
> "jdow" <jdow at earthlink.net> writes:
>> The common attack is a dictionary attack with several attempts a second.
>> So of course, they get one shot to crack a password, usually for
>> <snicker>
>> root, which is dumb to begin with. After that first attempt they are
>> blocked for the rest of their run.
>
> Why not just disallow unix-passwords in ssh? No passwords, no
> dictionary attack. Guessing an RSA 1k passowrd by trying each should
> keep them busy for quite a long time. (many, many times the lifetime
> of the universe even if they can test multiple billions per second.)
>
> Here is a page I wrote years ago when sshd attacker wee starting to
> hammer a machine I help run in a university setting. I couldn't be
> sure that the users actually had good passwords. This fixed the
> problem because it really don't matter at all what passwords they
> chose. Ssh never uses those passwords on the wire. The only thing
> that matters is the 1k number the computer chose for them.
>
> http://www.wsrcc.com/wolfgang/sshd-config.html
I wasn't always sure it would be used from a machine that had the
necessary key on it. Sometimes getting PuTTY or a real ssh onto a
machine is tough enough. For keeping people out belt, suspenders,
and a buncha safety pins to the shirt is maybe enough. If I gotta
get in myself and don't want to dedicate days doing so then I need
at least belt and suspenders, key and password, access. Key access
is for easy access. Password access is for when the key isn't all
present and accounted for. And as I say, even guessing "abcdefg"
as a password is bad enough. "abcDefg" would be even worse. And I
fully expect to have a new password in place before the goof gets
past the password dictionary into systematic alphabetic attacks.
They become obvious in the logs astonishingly quickly compared to
any possible guessing time.
(Besides, if I just went to the "key" thing one of the last things
keeping me from moving to FreeBSD would be gone; and, I'd not be
here to pester you guys from time to time over silly rants. {^_-})
{^_^}
More information about the users
mailing list