RE: Deliberately create slow SSH response?



Unfortunately, I never know exactly where I'll be logging in from and
maintaining a blacklist/whitelist is tiresome. As for moving the port
(another suggestion I saw) that's not really a possibility for me either
because some of the remote locations I shell in from don't allow traffic
out non-standard ports.

On Thu, 2008-07-10 at 18:54 +0000, Sergio Castro wrote:
Indeed, I agree.
The point I'm trying to convey is that if the objective is to reduce the
chance of an attack getting through, and given the fact that the service is
SSH, then a better solution may be to limit access to trusted IPs.
That's all I'm saying :)

-----Mensaje original-----
De: Bryan Christ [mailto:bryan.christ@xxxxxx]
Enviado el: Jueves, 10 de Julio de 2008 01:51 p.m.
Para: Sergio Castro
CC: 'Zembower, Kevin'; secureshell@xxxxxxxxxxxxxxxxx
Asunto: RE: Deliberately create slow SSH response?

Sergio,

I think Kevin and I realize that dictionary attacks are automated, but a
30-60 second delay would significantly slow them down to the point where it
could hardly be called a brute force attack.

On Wed, 2008-07-09 at 17:14 +0000, Sergio Castro wrote:
The brute force attacks are most likely automated, so if your
objective is to bore a human to death with 30 second delays, it wont'
work.

Have you thought about limiting access to the service to only certain IPs?

- Sergio

-----Mensaje original-----
De: listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx]
En nombre de Zembower, Kevin Enviado el: Miércoles, 09 de Julio de
2008 11:56 a.m.
Para: secureshell@xxxxxxxxxxxxxxxxx
Asunto: Deliberately create slow SSH response?

This might seem like a strange question to ask, but is there a way to
deliberately create a slow response to an SSH request? I'm annoyed at
the large number of distributed SSH brute-force attacks on a server I
administer, trying to guess the password for 'root' and other accounts.
I think that my server is pretty secure; doesn't allow root to log in
through SSH, only a restricted number of accounts are allowed SSH
access, with I think pretty good passwords. But still, the attempts annoy
me.

I wouldn't mind if SSH took say 30 seconds to ask me for my password.
This would slow the attempts. Is there any way to configure OpenSSH to
do this? I searched the archives of this group with 'slow' and 'delay'
but didn't come up with anything on this topic. Please point it out to
me if I overlooked anything. In addition, I can limit the number of
SSH connections to 3-5 and still operate okay.

Ultimately, I need this solution for hosts running OpenSSH_3.9p1 under
RHEL ES 4 and OpenSSH_4.3p2 under Debian 'etch' 4.0 and Fedora Core 6.

Thanks in advance for your advice and suggestions.

-Kevin

Kevin Zembower
Internet Services Group manager
Center for Communication Programs
Bloomberg School of Public Health
Johns Hopkins University
111 Market Place, Suite 310
Baltimore, Maryland 21202
410-659-6139


__________ NOD32 3255 (20080709) Information __________

This message was checked by NOD32 antivirus system.
http://www.eset.com




__________ NOD32 3257 (20080710) Information __________

This message was checked by NOD32 antivirus system.
http://www.eset.com





Relevant Pages

  • Analysis of SSH crc32 compensation attack detector exploit
    ... Analysis of SSH crc32 compensation attack detector exploit ... detector vulnerability to remotely compromise a Red Hat Linux ... Active Internet connections (servers and established) ...
    (Incidents)
  • Re: Somebody is keep trying to ssh into my systems, how can I stop that?
    ... You are mistaken if you think your "secure", portknocking protected ssh ... open port. ... How many netfilter expoits that can successfully attack CLOSED PORTS have ... The object of security is not only to protect against remote priveledge ...
    (comp.os.linux.security)
  • Patching 4.4-RELEASE against SSHv1 exploit
    ... an SSH exploit has been specifically tuned to attack machines running ... FreeBSD 4.x and certain versions of SSH. ... >detector vulnerability to remotely compromise a Red Hat Linux ... >used against systems running OpenSSH 2.1.1 servers which suffer from ...
    (FreeBSD-Security)
  • Re: Need urgent help regarding security
    ... | i have seen a similar attack recently doing a brute force ssh. ... Speaking of SSH, if you have to provide SSH service via a public IP# (and you ... This make a brute force attack much more difficult, ... higher public port down to port 22 on the server, since that will trip up anyone ...
    (FreeBSD-Security)
  • RE: Deliberately create slow SSH response?
    ... SSH, then a better solution may be to limit access to trusted IPs. ... 30-60 second delay would significantly slow them down to the point where it ... could hardly be called a brute force attack. ... En nombre de Zembower, Kevin Enviado el: ...
    (SSH)