Contributed by mk/reverse on from the no-bruteforcing-pick-one dept.
Yes | 24.7% (241 votes) | ||
No | 75.3% (735 votes) | ||
Total votes: 976
(Comments are closed)
OpenBSD Journal
Contributed by mk/reverse on from the no-bruteforcing-pick-one dept.
Yes | 24.7% (241 votes) | ||
No | 75.3% (735 votes) | ||
Total votes: 976
(Comments are closed)
Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]
By Honolulu Dark Grey Fox (62.175.42.214) on
1 second per password try -> 18^8(*) seconds average for breaking in.
(*) Stands for 350 years, aprox.
Comments
By SH (82.182.103.172) on
By Roy (24.34.19.74) on
Comments
By Matt Van Mater (65.205.28.104) on
Comments
By Matt (65.205.28.104) on
By Charles Hill (216.229.170.65) on
MaxStartups
Specifies the maximum number of concurrent unauthenticated connections to the sshd daemon. Additional connections will be dropped until authentication succeeds or the LoginGraceTime expires for a connection. The default is 10.
My issue last week (when this happened to me) wasn't worrying about brute forcing of passwords, it was about not being able to get in to my system because all of the possible connections were tied up. DOSed by some script kiddie in Germany, according to my logs.
Protection against brute force password cracking is easy. Just don't allow root logins to ssh and don't allow passwords -- certificates only.
DOS, on the other hand, can be a pain.
-Charles
By Sean Brown (68.147.204.101) on
Comments
By Han (217.120.147.78) on
By Anonymous Coward (203.80.97.18) on
Comments
By Michael Knudsen (217.157.199.114) on
I've done this, but not because I'm worried about these attacks (PasswordAuthentication no). I did it because some public networks only allow users to surf the web, so typically only 80 and 443 are allowed through. I run a web server at home but I don't use SSL, thus sshd also listens on 443.
I know I'm probably violating the AUP of said public networks.
Comments
By Anonymous Coward (172.184.133.244) on
hehe
By Han (217.120.147.78) on
Comments
By Michael Knudsen (217.157.199.114) on
With -current netcat you can tunnel stuff through SOCKS4/-5 and HTTP too. I use gotthard for ssh, though.
By Anonymous Coward (172.184.133.244) on
Remember permutations and combination math (figure it out via http://en.wikipedia.org/wiki/Permutations) are slightly different to the total number of available characters (upper/lower etc, not forgetting numerics and other ascii chars).
For example your 4 digit ATM pin has 4^10 numbers, but only 210 combinations where the order matters (your PIN), yet you only get 3 attempts before your locked out.
Anyway - this a load of conjecture, and it all depends on the admin/policy and misc variables as ever.
Anon
Comments
By Anonymous Coward (194.230.161.20) on
Comments
By Mike Carr (216.232.114.125) mcarr@pachogrande.com on http://pachogrande.com/
A 4 digit ATM PIN, assuming that you're using the digits from 0 to 9, has 10^4 possibilities, not 4^10. Actually, 4^10 > 10^4, so you were overstating the difficulty of it.
Additionally, order *does* matter. A PIN of 1234 is not the same as a PIN of 4321.
In addition to that, I'm totally lost as to where 210 combinations came from... But I'll leave it as that
By Anonymous Coward (24.201.62.155) on
By Anonymous Coward (156.153.255.243) on
Comments
By I am not going to give you a valid username (62.195.69.105) on
And with dog, blue, larisa, shell, barbara, god, rose for that matter.
Is it some kind of joke? I don't know people with names like that.
Mmm I just start to wonder will adding this to pf.conf do anything?
rdr on $ext_if proto tcp from $badip to any port ssh -> $badip port ssh
Probeble not a great idea
Comments
By Anonymous Coward (62.195.69.105) on
By Anonymous Coward (12.33.122.68) on
Comments
By Anonymous Coward (212.202.38.11) on
By Anonymous Coward (82.137.75.4) on
Comments
By Anonymous Coward (83.65.85.185) on
No, I fear not. I had a look at the source code: you should fear more that your kernel has security holes, and most that your system configuration opens security holes, really.
By Merlin (64.103.37.72) on http://www.darchis.be/eric/blog/
But I am worried that I am still getting attacks and I can only assume noone actually got in and wiped his traces. I'd love to have some kind of limitation like limit inbound ssh connections per IP address to 3/minute. That would not impact me at all and keep brute force crackers away.
Changeing the port is not really solving the problem. It's like changeing the name of the Moveable Type comment script.
Comments
By Anonymous Coward (80.141.175.203) on
By dkaplowitz (153.104.209.55) on
By sbr (66.11.172.61) sbr@gnook.org on http://gnook.org/~sbr/